23542300x800000000000000066405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:43.828{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1888BE3856EF2ECB882737E971237FCA,SHA256=8D2A18E1AE35DBD5769C9A4636E9E0562ED3CDCF7D96ED84A8C7976F92914846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:43.453{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B476C0093FDE6D80E893A98982BD1B8,SHA256=F1B4BDDB75722DDA87101E84544BB7E63CC262DE572A907C313645401D1D41CB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000080992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localT1042SetValue2023-01-17 10:24:43.811{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 354300x800000000000000080991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:40.306{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49367-false10.0.1.12-8000- 23542300x800000000000000080990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:43.212{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A06557F4D52B6C26053A376A33BE9C,SHA256=9FC5002329C6AD35DCAAEA2BB8EB3EDCAF65E07D41AC1E2041E0F8A8437CB87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:44.561{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F8858DAC898F63B41D3C5FDD734A92,SHA256=7E0FC0A64AEEC73C4A652BC717E2250D56FCFCEEB1F4DC24818F46E2121F241D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:44.316{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DD6DE9498BB9B3386E807EEF52888E,SHA256=5D71ACF49899304B6C0062345DBA558E3634EC15686994A78F229A951A34CB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:45.674{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00446614AA304EC8CD3B89DACBFC2410,SHA256=3985229C2707E7B3B05D02A18717B2DA3AF44D4D1C060779D6121047F7852242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:45.421{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F569E997C04C486F4B2DEBD0CF81FA7,SHA256=25824104123C3BCA3B3233A467B53686BDF94BFF3175A0E36F889FDD88BAC6BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:45.319{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=628C9D44A4D8A47594B5918CB6E8C4DA,SHA256=BF66FD16919E030B20035D2913756ECDCD0ECFA658FFA9048DA0EFAB4B3D660A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:45.184{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50247-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:46.871{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458EC515DD9728BAD9E673C3360AA452,SHA256=A6B33213DA17DFBDD09E1D5673AFAEE603F173B5BBC3C0072CB542B46C1ABF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:46.505{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548170FAE43D7A95F6FDB50644A0A9AA,SHA256=A190F2AD8C5792917E5CBCD14CF093484CAE6ED7066B6CF3AF18F7B10F98E173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:47.958{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F03A31BA48F7FDAD1ECC2CAABE2966,SHA256=B3A14500D7D3F38959304EA4288F9253E31DE3D551A54A1D9E371CF587164BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:47.596{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12945124DF0BC6F59741AA4C24F24C0,SHA256=1D0AD6860F3467F2EEDFCCD47065CAC48A312C747BB11F5964480931CA5DFF5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:46.223{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49368-false10.0.1.12-8000- 23542300x800000000000000081020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.659{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C46DEE4E2CE74D3AF277DB9BB2DDA9,SHA256=8C71B2B7669670C269BFE78AC6E8AB7C28F20D580772ADF95D48591643B3D4F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.320{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.316{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.311{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.308{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.306{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.299{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.296{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.294{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.292{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.284{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.273{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.268{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.261{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.248{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.229{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.164{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.140{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.129{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.113{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.090{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000080999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.019{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000080998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:48.011{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:49.759{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9028E9130C35E4AACC5B4EF9D64404A0,SHA256=1E4330BF825E7DDE0ACA22ED6ED36D2F04A0D5C87C9FC21747AE25A767E659C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:49.043{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB13C119FC457BABE8791A5166E7E09A,SHA256=FD219F32463AA03DC1078A92DD9700D209B29D4CDE5EB78C6A8E5D1FCE7EEF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.793{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314468277D07C5FCB12EFD79B686F8F5,SHA256=769CD24998CC5B108FA891165592A1C85F69B66E37AAD1160EC4DE436659EF12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.769{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.767{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000066412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:50.133{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62A4A5DE35708708918F3CA424BCA39,SHA256=9FEA738AB187FA8F2142BD8CEEAA36B3C6D723D3828A24C13875B3464F45AC6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.378{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.378{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.377{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.361{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.345{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.341{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.335{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:50.323{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 13241300x800000000000000081032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000081031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0029cada) 13241300x800000000000000081030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a55-0x8c25d7d5) 13241300x800000000000000081029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5d-0xedea3fd5) 13241300x800000000000000081028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a66-0x4faea7d5) 13241300x800000000000000081027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000081026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0029cada) 13241300x800000000000000081025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a55-0x8c0de376) 13241300x800000000000000081024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5d-0xedd24b76) 13241300x800000000000000081023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:24:50.048{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a66-0x4f96b376) 23542300x800000000000000081065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.863{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DD4C4AAB4E69D785E0376354FFE262,SHA256=D5ECCAC9120DD3E796BA07A93BEE108EA6AE7F1DFDED2572D7DF8B69C0C9C5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:51.222{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE351503454B8B5DE6E04E1B77AD2829,SHA256=B228EB21512D7D3363B70DB858C43E7FE9DF5BFA0F9AA75719AFD6245100704E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:49.431{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A50424- 354300x800000000000000081063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:49.429{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60450- 23542300x800000000000000081062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.701{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3744973FF9531B5C6D1DA652F618B706,SHA256=CAB0C6C2E5C1361ABA89C4271E194D73FD0B1BC0E50E13262FE26B318B74D86B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.362{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-76CC-63C6-F801-00000000B002}5048C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.361{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-76CC-63C6-F701-00000000B002}2912C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.347{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.338{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.336{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.335{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.308{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.303{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.292{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.288{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.286{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.284{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.282{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.280{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.278{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.277{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.275{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:51.274{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:52.953{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9DBED197CA1B634A51E1824263F34E,SHA256=EA61D88F2ADBE562D7684BA6E86F3AECC8140B36D050D6DAF93D838768432399,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:51.168{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50248-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:52.522{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A916D6A5BD85F6D2EA9E0785CE7FCBA3,SHA256=DA2D34DD5291EDDD538C479F0C8812309E2C5BFC7D6B92499040714B06A72841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.833{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EF310457DFFCA15021E2E945D5AB31,SHA256=C54E3BEEB8AE7B4FE19C05B406EBAE4D52721E1F0626E9D454BAD308782215E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:53.391{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FE555BE87DBD25885AA969CE380A59A7,SHA256=BB8B0DC87E5454BA7E208213E20931DD629E10E993FFEC0C320C193343FD633A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.521{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.506{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.469{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.450{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.446{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.412{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.400{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.372{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.368{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.364{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.361{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.358{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.357{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.352{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.349{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.347{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.345{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.342{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.337{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.330{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.283{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.190{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.175{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.157{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.146{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.135{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.124{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.112{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.102{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.090{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000066417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.086{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000066416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:53.084{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 23542300x800000000000000066456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:54.867{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D706E716B0C751D135204DA742F6696,SHA256=844DC2623AF6A5D50EDFEE22BCAD07CBC42DF8BA54E8774993EDAB201E5406B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:52.171{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49369-false10.0.1.12-8000- 23542300x800000000000000081068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:54.156{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B280C0B9A47BF42987CD1BF1BE061B,SHA256=12FBD9701000EA7F7E5F307963CFD51319476F9C37284D0BE13912DB65E55EA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:55.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:55.254{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3296D067139BAFAC63806643E0CD8C4,SHA256=0E300962D13C5475C79C200FEF3A2439B4C948B2B63E9CDB9D2F024432576113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:56.337{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3496AF4F28F5D5E9D8A3C335515B61A3,SHA256=E58E6F874766E30A54C6F9AAF75C3F4F3FF47BA6BAB88904049D485D6B2F7B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:56.041{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6ABC444AE1E7946FE31155BA8825307,SHA256=A71FC2E389804B16132AEC2B8E9CE2F4759205DD96A0F4450771532C340781CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:56.003{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:56.003{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:56.003{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6201068C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:57.434{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3B0E0E5BE60706395A093DC5395255,SHA256=829EAA2DBFC74F40C78E1EA8E2152A2FB600D8B86C3F3165AE32C434D1374442,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:56.235{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50249-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:57.013{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5F81C0D0ED92FB42CAC485C38A2EBE,SHA256=7FDF5B0C814076C2BE97945D1677EF99900A8F5CF9D62FFDDF6E77C7B4E48EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:58.520{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E14AF38B5E8408C95784945340764F,SHA256=A0CED04E379385ABED44AA3F27DC033D74079AB97617BF0FFFF336FD8E334254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:58.098{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3586721AD540D5BD3DFEB9FDADF22E47,SHA256=69D9AA3290488F7AA06684A5C351241E704A428CC920CA6B83C2146F1D4A8225,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:57.230{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49370-false10.0.1.12-8000- 23542300x800000000000000081074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:24:59.619{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94103F327712764E569907D99CE9883,SHA256=72A1921B8FEB3B3C3953FE99B44A5E4FF11D0F84029ECA575C6B94E7279AA5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:59.494{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:59.192{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126CDCA9D74D74355D239DC668BA3B5E,SHA256=F781B41534E025B58D77A430305666C1F464591903F39724DB6D9911079163DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:00.712{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220596FAA0BE9BE9B52737C02A134DFB,SHA256=A0DD9EFE1808528A7CBCB1ED9FE355E3D319E404F32CBD98EFDF523E831E22CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:00.297{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D53F3F9EF3D9AA42BF1B9709B7663E,SHA256=346F238D709EFB96B4601EC00DEC689F103A7EE1E9DD082BD43C2382696DFE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:00.296{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4782DA61153249002D1467915DB92052,SHA256=69F752A75A981DBF95F35F5FA13619DBCBB9390B49401407E5B86FB7BA7123C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:01.829{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C120DB44AD33B8FE2582B76502D8FBC9,SHA256=71B1C864B46ABA42DBB08A29FF701D972EEA3FC0F80975E2D407DD12F9BCB957,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000066471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:25:01.498{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92a5d-0xf5019a01) 23542300x800000000000000066470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:01.404{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5AF6307D2889EEA3A06012F84887A1,SHA256=55CB8F8EC660CD5112247221F8FFDD1AEC0E5754AE57D62EDCA94F25BDA1D2AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:24:59.481{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50250-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000081078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:02.924{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F491670F8D4E44052992BAF08D16BD52,SHA256=B4307D8C7103770B77310AEF89DF993586678AE8ED268A97DDF5D6C63CE0F118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:02.505{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7B33DE6C8D0C850BC8FE8E07DDFEC4,SHA256=0E1DB313B7C30FFAD682C1B08EEE5645EB00FCE44E973CE2ACAED4F1FFD9F71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:03.613{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC60D88DD1BD939F1DF3EF25B63443D,SHA256=BB432107E218566F5682A92329351D69FE489AEBE1F15B22112F4115CCC7E586,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:01.485{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x800000000000000066476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:04.705{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A32331D64B1C94075B958EA6A315E1,SHA256=A889DF7FFDC8A5400CD7129F5177496D35D7807A93B6D76CF70749907A7D8A85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:02.376{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49371-false10.0.1.12-8000- 23542300x800000000000000081079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:04.020{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E268FB9A7CE7990AADF4575213AF0B3D,SHA256=AA7EB89AC17EFE4CD409D40F2ED4CA0EA22D03969BB1A57E9B17E0948138192C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:02.050{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50251-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:05.808{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E25BA76325463945C1653700FE18C4,SHA256=3847153262C562ABCAEDA64C6B3423A3CAD5F09B8EABC1A0491A54AA3C29ACEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:05.111{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8346CC168D10AF951AEA801A7120139E,SHA256=9E88B7E4C738030A513B79BCFD45B8AB11010FAAD1612DF29DA812CAD003DDDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:06.209{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBAAC0EA1E354E4438D6DB32639B4F0,SHA256=DEB1E1038655967983A277CB22DED80611D63419E110678C06457792DFF2FCE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:07.997{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:07.994{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:07.315{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0472CA2FE94A89F287C004397E2D60C0,SHA256=7297EBF5D6D9A09A89E6A1C725556C5A0089B4238B1186A831419229D65B9660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:07.831{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-043MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:07.012{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCC91F23B34F60947CCD0D64C389A7E,SHA256=67CEBBA6DB49C4691A2B85FA6E93BFDD276469831628598F7623E2182596A743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.406{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911D0C978E58A1B00699EC4A581A2B39,SHA256=04A9524A00EC1D37B8BA44B041BF7DCB263D321AA51404AE6E8C5D550CB8F0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:08.839{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-044MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:08.114{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1676665BCD622DD760094D88FDE8B121,SHA256=F7845D1F3A809B87F63924ED315D3389C9256BB0C46949071CACEDA496A3F059,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.227{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.220{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.215{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.213{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.211{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.204{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.200{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.199{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.195{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.189{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.178{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.167{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.160{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.148{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.137{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.093{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.075{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.066{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.052{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.040{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:09.617{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76710D413C2D0E1AB0865FA0D5A6E56,SHA256=802117A007D3CB3007E617628165EBA03DA034D79402E1E6C8327F924A4D357F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:08.022{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50252-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:09.209{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF87C1491ABE1302E874D194C7C3540,SHA256=4E5930A04736A90B7CF78834A9003A7385B5608AE5E8BF2C26B60CA7B55C0169,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:10.735{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:10.734{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:10.677{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137D98E35F0465823BC232D51260D9E7,SHA256=0E3F15A98F58DBDA41F43AED90B091F4342804AD50E78B6ADD52B42661325556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:10.396{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C96184CC2FE484FD932B13609D204A9,SHA256=35F9F18C666B3D6604E6512CDAB96455CE13613DB91B7761A7749C8D1548EF3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:10.290{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:10.286{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:10.278{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:10.264{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.779{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1129D3FC415CD6007196F23E41A19E4,SHA256=FDAD18863A47F4821673E57C6484EA36E7A31A1342D8F62D4B77ABD438CC6CAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.663{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000066485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:11.491{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A6396385F831D57F0B94AA8AAD987B,SHA256=B0BC4C8BC333092BDB841801427FFEC662B3933A108458D8AED7492397164957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.357{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-76CC-63C6-F801-00000000B002}5048C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.356{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-76CC-63C6-F701-00000000B002}2912C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.335{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.323{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.321{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.319{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.290{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.284{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.271{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.266{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.265{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.262{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.260{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.257{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.255{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.254{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.252{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:11.251{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 354300x800000000000000081115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:08.384{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49372-false10.0.1.12-8000- 23542300x800000000000000081135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:12.864{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCF82F0DFCBC295DC46B667132BD254,SHA256=D55D65106599482B568040B5C7A6331C99473C28C748417C7D63DB949BA40223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.815{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453699FB2D7871835982F5663D13F45B,SHA256=3A164729DA48B378351EC97BE5F8CE16226D19182D2B109A4CBCEA3864F7FACD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.315{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7788-63C6-1602-00000000B102}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7788-63C6-1602-00000000B102}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.312{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7788-63C6-1602-00000000B102}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:12.313{F6EEFE7F-7788-63C6-1602-00000000B102}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:13.963{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0100DAD140A237D141540161A281EF99,SHA256=97671F7547D65713139F49B68A17DB0DBE4B8373810105E80E9A93FF5084DABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.967{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B689516D06F531A24ED8D7341BA865,SHA256=E2C32ED5016CA27025CA45A92C7DADF7AE6BFCC422CEC1D1871CEF2688E111DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.426{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.416{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.393{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.373{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.370{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000066565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.331{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1E122BE79E3094640C7ED977F77184,SHA256=D6161615B8D945E8CBB5A5A55A98C46047F566DC1AB9CDB911A4A8DAE225C2E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.327{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.315{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.270{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.261{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.257{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.253{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.247{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.236{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.225{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.222{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.209{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.194{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.150{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.144{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000066538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.127{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=47DCA6C5C8FC1201E608A51874FDFBFA,SHA256=AD079448FEAB9CCF02F9E2A7440D11A7B6A2AE77184A8A79F5BBDC0D65548FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.127{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.114{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.095{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.088{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.077{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.074{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000081137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:14.750{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-043MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.954{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.956{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-778A-63C6-1702-00000000B102}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-778A-63C6-1702-00000000B102}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.276{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-778A-63C6-1702-00000000B102}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:14.277{F6EEFE7F-778A-63C6-1702-00000000B102}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.998{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=05076305379D12556C66041A14C24D33,SHA256=CE7AD326414B849FB614030D242217BAB5AFE15B818823277CA9C3195C94160C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:13.161{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50253-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000066606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:15.194{F6EEFE7F-778A-63C6-1802-00000000B102}55843568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:15.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:15.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:15.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:15.150{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:15.149{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:15.149{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-778A-63C6-1802-00000000B102}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000066599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:15.063{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D03451FCD17D3C4A694BC3CA0E9EE27,SHA256=0A5DC0363727D6BC7916EA7F6080D08CDBF808059080F83C7743DB83C0008AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:15.760{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-044MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:15.063{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9125757854F3E6C6D42CAC0A9B8B18,SHA256=B68BDC7169BA665306B3BB7B1214085D8EDCD183CA1C104B643677EB248BE6B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.431{F6EEFE7F-778C-63C6-1902-00000000B102}44284736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-778C-63C6-1902-00000000B102}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-778C-63C6-1902-00000000B102}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.241{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-778C-63C6-1902-00000000B102}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.242{F6EEFE7F-778C-63C6-1902-00000000B102}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:16.210{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BD075E8D23CB528F77A1380499087A,SHA256=FFE97619D44394496760FA329B27723F05EE25EC5788FE42D243299A9A3A9D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:16.262{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59B88DD6E8D3CC88B88A7F3C589AB26,SHA256=984F5A381765FCC98D30A55961B16EA92DB3A41DD98A20C71230BCB1E4F4FEFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.571{F6EEFE7F-778D-63C6-1A02-00000000B102}22762672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.339{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-778D-63C6-1A02-00000000B102}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.338{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.338{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.338{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.336{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.336{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.336{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.336{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.336{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-778D-63C6-1A02-00000000B102}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.336{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-778D-63C6-1A02-00000000B102}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.335{F6EEFE7F-778D-63C6-1A02-00000000B102}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:17.293{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018F4F4BADBA864D0F46932E0079AF14,SHA256=843B4C5B69B5404B52F5C8E4DAAD4639C1E43298CA2A70470E88A0B7AA7091D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:14.388{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49373-false10.0.1.12-8000- 23542300x800000000000000081141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:17.444{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4534933FE569A1C31271C9012BB805D3,SHA256=2B967C5C64617E083E8C4CB2F9B08A997C03994D15E14AF197F901ECF760F458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.636{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49E110D6BF48FA5E78179CD0454A418,SHA256=5BD5143285E49F1FC1C071F407999CDE77DCBBDF01FD0C5F986C435EFB5DA064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:18.555{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02EF400CEBF56F822C4CEFA23F8511E,SHA256=15402466666CDA67ACA2C33C300BC355BADCC73D0F9D345F451F559B217BCABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.196{F6EEFE7F-778E-63C6-1B02-00000000B102}12925976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-778E-63C6-1B02-00000000B102}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-778E-63C6-1B02-00000000B102}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-778E-63C6-1B02-00000000B102}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.009{F6EEFE7F-778E-63C6-1B02-00000000B102}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.685{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759B8412BEF53F8B7E9BC944598DAB6A,SHA256=61C2060A5B8F8BC12DFFEFF8B7EB203294507C29D65799F203C25A2F00E1AC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:19.650{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4999E59AA32C130A89348C4A8E9EE28,SHA256=2B998AA2ED755C3DBA77C29EBAE5DEC871C8501547132CACED1C5D303373987B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-778F-63C6-1C02-00000000B102}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-778F-63C6-1C02-00000000B102}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.482{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-778F-63C6-1C02-00000000B102}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.483{F6EEFE7F-778F-63C6-1C02-00000000B102}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:19.073{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F5C2BE57D55280C2483F43A59DE288C,SHA256=C9EDB41D54D2F7A748A387E4102CC056807F2E414337FF1AE2B9978D07E26F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:20.773{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E9A75948C555D3115B9ABB2C1437EE,SHA256=E3B2A7CE014F36FC45DBB5B3C07262B62FAA259C7BD153B992E5B40F6F7213E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.958{F172AD64-7790-63C6-1902-00000000B002}66846692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.781{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7790-63C6-1902-00000000B002}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.781{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.781{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.781{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.781{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.781{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7790-63C6-1902-00000000B002}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.781{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7790-63C6-1902-00000000B002}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.782{F172AD64-7790-63C6-1902-00000000B002}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.750{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC67B72528D9CAFDEE7D11C6B4054E0,SHA256=9E565065C4E27D721A6E7F919FCB438EE1B8D1EFCE6146CE43825A135029D4A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:18.245{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50254-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.640{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=78048850BA6D484FCA625B16CF806D27,SHA256=91A18A2BB5A8963D4C1DB226818F83C7FC8E450003C0C750B9D97C146F8CC1AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.248{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7790-63C6-1802-00000000B002}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.248{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.248{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.248{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.248{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.248{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7790-63C6-1802-00000000B002}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.248{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7790-63C6-1802-00000000B002}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.249{F172AD64-7790-63C6-1802-00000000B002}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:21.880{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB745D1D3BDD344743213871441936AB,SHA256=7C2D29A014C0422FB50EC56A944903697E78A2BD6AD1F2438500A4A28F270181,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.971{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7791-63C6-1A02-00000000B002}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.971{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.971{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.971{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.971{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.971{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7791-63C6-1A02-00000000B002}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.971{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7791-63C6-1A02-00000000B002}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.972{F172AD64-7791-63C6-1A02-00000000B002}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.939{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1E8721CEF7A670D768A0B845433FD0,SHA256=04F7ED26D30BED568D1DC89BFAD50C381421A333236DD75BEE12BBB395686D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.893{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=438921E0D38BFE3FB64123DA37C9FD3F,SHA256=6B92DEF092E4E0A4BEEBBB58D0083895F9F62D928322DCCFEB42689C8ED6E9BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.595{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.595{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.595{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.595{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.595{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.591{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.591{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.591{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.591{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.588{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.588{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000081164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:21.308{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C22C606D2B14960D05B3047516E13D5,SHA256=F3A6F34E2C4AEDA59213AE632493EA22A1FB8DBB7DE9ED3EB370FEC2DDBDBDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:22.970{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EB629269C3DD3351F50C4A05CB7201,SHA256=1D1B31DDFEDF4C04102034DFDAA6145C9A05EE19123FA8C5B8F483715B1E103C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.701{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49375-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000081187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.701{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49375-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000081186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:20.161{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49374-false10.0.1.12-8000- 23542300x800000000000000081189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:23.030{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766231C1E194FEC2DA81F53CBD0E729D,SHA256=6220C7FF48D18B21F3B72554C95F696044F10A86812519E047AEC69F59CFFEED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.560{F172AD64-7794-63C6-1B02-00000000B002}47442564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.337{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7794-63C6-1B02-00000000B002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.337{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.337{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.337{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.337{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.337{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7794-63C6-1B02-00000000B002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.337{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7794-63C6-1B02-00000000B002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.337{F172AD64-7794-63C6-1B02-00000000B002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:24.227{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD64C971C61F94F3B5C539C654854E4B,SHA256=D0334C620ABBDB5E3A80031F2265B6176E28A20F4A15E6871A997E95E920A433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:24.072{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ABA74AD27FB45EA49B68E81EDAC3DF,SHA256=0753253065CF48385207943070962DC46FA9C2C229DCE1130AC4610D970D608E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.870{F172AD64-7795-63C6-1D02-00000000B002}71406400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.789{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.789{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.789{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.789{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.788{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.788{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.673{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.673{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.673{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.673{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.673{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.673{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.673{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.674{F172AD64-7795-63C6-1D02-00000000B002}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.319{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD260DC1A9872C257E87A8A44469F72D,SHA256=1D529AFCAEE6EBC912772679F2599BB385CAD63363A2124ADA69A56E546D783C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:24.246{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50255-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:25.167{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946F08B3D8B9C8A9C68FB947E9A628DB,SHA256=AD8DE2F5D81845FFDA7AB8099C709C9D4B0A842E682D816FF227A67650ADDBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.194{F172AD64-7795-63C6-1C02-00000000B002}66766924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.006{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7795-63C6-1C02-00000000B002}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.006{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.006{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.006{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.006{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.006{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7795-63C6-1C02-00000000B002}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.006{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7795-63C6-1C02-00000000B002}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.007{F172AD64-7795-63C6-1C02-00000000B002}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.764{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7796-63C6-1E02-00000000B002}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.764{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.764{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.764{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.764{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.764{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7796-63C6-1E02-00000000B002}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.764{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7796-63C6-1E02-00000000B002}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.764{F172AD64-7796-63C6-1E02-00000000B002}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.729{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BFA04B88A7D9513661EC1DE7F77E4CA,SHA256=82A94D3F5C18246EF9A86BCAE337A86028F6E623B3C31A95F8F266274300E193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:26.409{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF5729500C3BD3EE85FD807AA92507C,SHA256=F2F419D0E60089730291FDDCF7D5D95A6E4C80BF98815EF78169BAD4DB692972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:26.247{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A9BE7059F559BCE449A9FE350DB2EF,SHA256=F5F65FECBE524D4D038B53B5EBAB7BDA0560885D43F044894296F96CBAA29F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:27.993{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:27.990{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x800000000000000081236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:25.367{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49376-false10.0.1.12-8000- 23542300x800000000000000081235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:27.499{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF62FDA17D692ADB8DA4B17A788E21A0,SHA256=FED5560BB587DEFEC4BD9C1277F36366878A073A7DCA1A6CCC18E2977C6A06F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:27.322{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80090A3996943B6F85C79BDBA3316506,SHA256=F9EAD0ABA73E1C043DB4CEAAA82A589BB2FA61B4302C58E852CD1B755AC8D691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.558{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2531FE9A302E1539BD9174B391E6BE57,SHA256=6F331B0782FBE5D4CAEB485FDF4758C995141AC317DE33BF49CB526508C60603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:28.417{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E778A55C95A6CDB81E9F7321CC0BDB,SHA256=A48E3310E14DB6654C8D3D719DFEB5365617562B97C626DC443E53016B92828F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.228{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.224{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.217{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.215{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.213{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.207{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.203{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.201{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.199{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.194{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.172{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.164{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.157{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.148{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.136{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.093{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.078{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.070{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.057{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:28.045{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000081260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:29.665{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA463CB88E373AE0F2960498187664FF,SHA256=752405EAC30769EF098BCA5704AFDEBEEF9C919636A44651E8E15874D0A4FDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:29.511{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097B65B14F53EBDF0BF9BA260F88ABA2,SHA256=AB4F73AA1F25462EC470104C6628E1470A4AA8442AB2206A11CB1469EC7F91DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.975{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.886{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.885{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.768{F172AD64-6CE8-63C6-0D00-00000000B002}8922084C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.730{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44624FF44DD35CE366513F35E43B36D9,SHA256=3EED2F3F78335201457F034ACE4653C6A0394574B0C8F512E6FA51D375A6DDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:30.605{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9DE7343CC3AAD916C7949BAAF9F2D6,SHA256=0EA000732862AFAEAAE7D48EC995F191737B0D1C2B3D573141F2442D63D690E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.291{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.285{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.275{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.256{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000066680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:31.812{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD8D5DB3EB635169740207D0EB61935,SHA256=5701D5EEB891A1AA415A02BC03AD1D55E80BE4243088CD06CC0C26C2194747B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.808{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B177E62D8AC0D821B593403A91D31C55,SHA256=F89AF3610809AC2228126B557EB3F47955AA57A871387FDF9B677A03EC7E4E35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.487{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-76CC-63C6-F801-00000000B002}5048C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.486{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-76CC-63C6-F701-00000000B002}2912C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.471{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.461{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.459{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.457{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.434{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.428{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.416{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.411{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.409{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.407{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.405{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.402{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.399{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.398{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.396{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.395{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x800000000000000081290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:30.097{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49377-false10.0.1.12-8089- 23542300x800000000000000081289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:32.912{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2E07D681156C5737804C40F5D5DED2,SHA256=9F0529E74EE1107E6DDDEAEBBAAA249FA03A769C8F816CEA2DBA01DC55B302DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:30.055{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50256-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000066721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.412{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.402{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.366{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.354{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.351{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.324{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.318{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.302{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.296{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.283{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.275{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.262{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.256{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.244{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.240{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.224{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.213{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.178{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.166{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.152{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.135{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.124{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.118{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.107{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.099{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.088{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.080{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.077{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000066682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:33.019{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2714732A147E9C8330F6A59CD1EF63D,SHA256=F0A9F75A8C8FDB2D372C7DA95C0A9387D5C094370AE44F807C1795581D8BB24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:34.099{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09E84AE3C5C26840FC6430AE661B536,SHA256=26DC70A8EB663DF92C69DCF20938A44E3949F292A12206541219862204386EF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:34.182{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:34.012{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7557E17C913950FA84DD2ADEDE532558,SHA256=3862EF8DC829CD28A3EA8BE7F8B434605E0C780DD4A67649F2ABE24AC0FBF6B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:31.259{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49378-false10.0.1.12-8000- 23542300x800000000000000066723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:35.191{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC172FD154D0E39853584454A8952B2F,SHA256=1D98EA6DA58F026FC9FF7B3701BD2ABBDAD6B49FF53D4A02C95D1079866F79E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:35.125{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D15479F30E992CF4C0C46A9D70AD6DB,SHA256=AA1EFED14234913E719C4B5190A6BF2C951690C0B7A20986A1307F57C5F5C438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:35.078{F172AD64-76CC-63C6-F801-00000000B002}5048NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.blfMD5=FCA60028604CBB1B9D7C770F058610FD,SHA256=226ED3B172155CCBFE98BF8AE16078429B9AA2AEEAC95206D3675D1A39175026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:35.062{F172AD64-76CC-63C6-F801-00000000B002}5048NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.2.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000081296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:35.047{F172AD64-76CC-63C6-F801-00000000B002}5048NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.1.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000081295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:35.031{F172AD64-76CC-63C6-F801-00000000B002}5048NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.0.regtrans-msMD5=8A7F31E4FA3C8E2617498494A091D4CB,SHA256=95ED45DDDFF38BFFDB857D7CB682DC9CD866602DB4FE8BEFE28972D5A594DFC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:35.015{F172AD64-76CC-63C6-F701-00000000B002}29124264C:\Windows\servicing\TrustedInstaller.exe{F172AD64-76CC-63C6-F801-00000000B002}5048C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\combase.dll+7d0d8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000066724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:36.267{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14E228FCEC4479F56DA5D60C5D4A15A,SHA256=05B747F68D0AB054DF6488802A33942826DFCB5A81E9FFECD1CAD729380A559B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:36.928{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=128880AABEBCE95030259F83457A5CE0,SHA256=35D8FD38276B306B50F43C703842F95F7225D7F74CC82E15938BAE7194EBC0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:36.097{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FA1997AFADCBFFDF45FB5093D1FFB0,SHA256=FF5C5D478FC3AAA0EC9A811DB3B0CF8D6B864E6DA70C0554F4C17D8B26CB1551,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:33.322{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49379-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 354300x800000000000000081300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:33.322{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49379-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 354300x800000000000000066726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:36.033{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50257-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:37.358{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58762664293CF385003064459B69BE9,SHA256=2E6FCF2A1EA40986EDE3AF43B4E615B843894A91BD3D2864ED2EFFDE5D494AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:37.194{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F964FF5C86AEFB617C9D662C356C7B99,SHA256=4F58659329DAB5DADA441ADDB077BCAAFDFBC9CDF102B45CB2A1B10477A2D272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:38.452{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC33C11950D1B4AE2823218D195B6AC7,SHA256=BA2F480D5CC85AF4E0E4AC269E4D5EBE09251B2B9AAA39B6009D24F57EDF6A12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:36.393{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49380-false10.0.1.12-8000- 23542300x800000000000000081307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:38.280{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FEFAF02FB1D408D943ECB279C33CC0,SHA256=1B8BCE9E9B0A0DF52DFB3A1D2B9099C82F033F77C23E7DABFB90A601E3D62B42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:38.045{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:38.045{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000066728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:39.545{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1E7173EC0D1684A91C7C435D903121,SHA256=3B93A2649AF903AA24A8CA6E78E00678B337F29CA2FB2753EB7E82ECA74DEF55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:37.183{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62176- 23542300x800000000000000081309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:39.373{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E466E13E94528E6E0E548FFF59EE1E0,SHA256=36D31A1B8B1B9E0304DBAE1D20277F8A1075E46409505EBB7D34865219132A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:40.622{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA730C7291E04921253F87854A3915BA,SHA256=25258C8F8C087F1BD7B3DFDA1514DCA8CA5788D2604FAC2AECB1DDC675083162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:40.471{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0A20DF3A70B931BE2E8BADAFF3B723,SHA256=56B5535A782FD85EDCD3C88E6105AC2FF089EDF23340BE517B50ECC230A0F015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:41.709{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B062A1E05407451F494A6B152A28FA,SHA256=FDAD7525108E0755355AFBD055ABBA40CF1BF1C391A6BCAB45C54D5718B4BF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:41.580{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0C525456CD15A1725D5BDB48B572FC,SHA256=91F0705DE8D798709C7C2DBCE84BB8A2DB485150750D3E42BD537028C20324B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:42.803{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB2B8A5862995BD6D24453730B3B768,SHA256=5BBBA097D85CDF5BC7896CA0B1010B8344B74C8E12866143015C84DF501180CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:42.683{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AFC83C54CD690CF787E112789B63D5,SHA256=230A9C8E7ABB730DCCDBE24A299F17A103759F069D5596D0BBC37E1182F80C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:43.788{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E71BDC036E17AF8B513591568B180D9,SHA256=325C741E970189BD804A858FEED8FAD87C59E6EAED58DE3B1211197816705EF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:42.038{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50258-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:44.880{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079E2D4C57FD2D99725035AEDBA5D6CE,SHA256=047709718A25CB83A92448A54C83CA9D8400EC36389D084ED64548F54A92F5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:44.209{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A86D1986B9C0DC3EDA1B2DB58329D0E1,SHA256=BD0C667341B6885FD351D7953424FAD3483189D0F66D338727BB9753A9A21345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:44.006{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CD53BD09C09E656101B07538265BE1,SHA256=AF988C45B23F3E2652283CC992AC136E4278F66F60110FFA43F8E4A0C02303AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.973{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F478FC0667921B6EA9F93DC8AB9CE928,SHA256=35636AFFEE6745C05FE6154C068B124A095DA3A46D62F09BB53E4C304B30830A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.942{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.942{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.942{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000066735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:45.211{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C41FA93EB02CD1292D699E9A7B43E3,SHA256=FE5817FDB59824BD89B7D1481A32D09705DFED13B782A3352984CE24258F99D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:42.148{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49381-false10.0.1.12-8000- 13241300x800000000000000081320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:25:45.099{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 13241300x800000000000000081319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:25:45.099{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D769BB51-6658-4EA8-AE97-39FC12592D5B\Config SourceDWORD (0x00000001) 13241300x800000000000000081318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:25:45.099{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D769BB51-6658-4EA8-AE97-39FC12592D5B\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D769BB51-6658-4EA8-AE97-39FC12592D5B.XML 10341000x800000000000000081317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.083{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.083{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:46.959{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9755D81CB3B0CB6AE644AE5EE896957,SHA256=6C44AAC1E4AFB420433A6F44080EA9B705095380A166832E2866572BD25D256C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:46.959{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=307468AEEC5EFD1FDA5235C2E9014311,SHA256=8D449D27AA47F12AB62B146605320D309413C7149D87E9E24D78B6A01CADE9D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:46.946{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:46.945{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000066736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:46.294{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A254C55C86EB33B966CD911CA14F2D,SHA256=5B2C1AF98AEC8D6CD82EA2442BECC7370A49D90837C7CE039476A02846F50A20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:46.790{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:46.790{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:46.790{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:47.998{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 23542300x800000000000000066737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:47.390{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F315F4FE354633F22A3484C582A635E,SHA256=16BE73CDD282660AADA3C58AE677D43A84721DC3074664C8F15C970F2CDB8BD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.078{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49383-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000081338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.078{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49383-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000081337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:44.242{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:2821:e50c:8b:ffff-53279-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000081336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:44.242{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local53279-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000081335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:44.222{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49382-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local135epmap 354300x800000000000000081334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:44.221{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49382-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local135epmap 10341000x800000000000000081333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:47.127{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000066739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:47.235{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50259-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:48.483{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FD7A2C0D51A50F4CE6CA36576E3520,SHA256=CDCED6DD3A230B034315BAC5FA93315756CFC8F538BDB26087AF20638490D34D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.926{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49384-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000081363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:45.926{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49384-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 10341000x800000000000000081362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.187{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.184{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.179{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.177{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.175{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.169{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.165{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.163{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.161{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.156{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.146{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.141{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.134{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.127{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.120{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.086{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.075{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.069{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.061{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.053{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000081342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.052{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9C6EB6B4858B4E4FDCF29CF48AAEDF,SHA256=C69B4895533E98A4CDD9A5F35B4E24393F632817132DD286568308E81DE84EC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:48.008{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 23542300x800000000000000066740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:49.578{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6B1B6C3D38720814A8A7D783629CEF,SHA256=6F58F46FA13F8DBCA15DB8676B131DCA8CB06EF7843B673414556295D33A958B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:49.032{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE74A7EE01F10EFC7A2619E09AD60A7,SHA256=3A2E99A382E43D2D4675850C4354B3A48CFE548C1F101CD70C2DD076F3EA6525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:50.879{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E6F90F68DEB4C8E03694981C1DCA8C,SHA256=64FD4B5DD759190D80587059DC878A737B3276DA1235551594DB9FA123CECE96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.608{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.606{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.380{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.380{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.380{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.366{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:47.315{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49385-false10.0.1.12-8000- 10341000x800000000000000081370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.241{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.234{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.224{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.204{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000081366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:50.126{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD40A3716A53BFFB22BD07B80045E8B7,SHA256=10389EB43587E51CA508FB79609CF092B2B17CB12F94E874A43FB9DA865BA0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:51.974{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CAE603792797B94FEE757ED233CC01,SHA256=54BDA387E8FE81E7F0F2FD7C6B832F1FD394833F145DA29929AAF1B56D4A7911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.892{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE47ECBD3131DA565731B7A1A0698DD0,SHA256=41764070839514DED8DE8F47DC09910E36791845A817738A745D252DE63F3C76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.766{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.207{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000081395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.200{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F6F6D42DB6372F69EF4F21C0A82807CF,SHA256=6C1DE5A1B5B3898AF4F54FB3F54C5A2345342E1FA108BB33D81FA09028C359DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.199{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E4933F77DCEE23A86AF44A0168A2F7,SHA256=8C25D4BECBA126317EAE67A7BA8B99F30E2A6C9D461CEA053214B966F7FE6981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.197{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.194{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.193{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.167{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.160{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.148{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.142{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.141{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.138{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.136{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.133{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.131{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.130{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.128{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.127{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000081378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:51.127{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B15EDEE723DB941824E324DA210097BD,SHA256=DC4DD265250C4DB34E6A8E8E160F67296706CA9ADE7800F79F85041E6B54D427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:52.183{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1886368E01C0D0820F7F697EA31BF8,SHA256=F468D4C8EBD13B2309ABBD8FA618EEC71ABBDB81E450D014BB2ECBCA717F2469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:53.402{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0D1BFA1DDBC83D61BEEE179416ADF556,SHA256=EF519B72FEA8745B69C41754919F47E243416E3EB98923F32C5E1F57B455CF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:53.272{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8BF6F02FA1F314F19D4BCFDF0A36B3,SHA256=2E7F65997A9F9E12DF00836BCBBD56B7E0F01259DE140358203DEFA788AD5EBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.508{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.494{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.457{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.440{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.437{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.405{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.397{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.369{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.360{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.358{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.353{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.346{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.343{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.339{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.338{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.336{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.328{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.324{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.317{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.305{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.250{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.236{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.183{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.171{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.160{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.149{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.111{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000066746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.097{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.092{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 23542300x800000000000000066743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.077{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C3CF5E9F524C2C1CEE7E81F41DB656,SHA256=98A4BF840DA7437F5EE26EDC2F313A9591ECAA1F5A0CF9CF5B78A74AF578D3FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:53.084{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:53.084{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:53.082{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:53.082{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000066784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:53.249{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50260-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:54.194{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F17B135E9D52544B31D1618CD9CBD74,SHA256=E6A8733885964A95227125836C5454BDBA2A0043ACB1C6E5CCA20E205F4BF976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:54.371{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B576BABB22D57A4CAD9057C9DD892B16,SHA256=8C6B3FE484C23F3FA8E8390E26DF5059699D5D0AE0FBA6FC40D26F9169A5B8B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:55.994{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000066785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:55.358{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150BF18EF5F0EAD08B519D7F81187F9E,SHA256=EB862900CE39EC94AD50E3A0E8BD5F1D3AF2D758CFD7745E20DC32313414AF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:55.472{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79CC4CAEB3E72343E7505C2565A97EC,SHA256=B10CB13D5DEB007470FC91BE08AE481036CABD6AA3C95C3B46292305A0B99C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:56.419{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E911791AF39110EF29B857270466C42C,SHA256=A146B6402E92E5A76C3B93C028FCACD1BE96F239D7482F8468BAAAB6892FC385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:56.567{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A08DCEACD6689F835A21FE37F7304A,SHA256=5AB9D32937AEFB60BFA99CB417474F1186AB85822812D037E47B5969855F96F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:56.011{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:56.010{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:56.010{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6201068C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:53.256{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49386-false10.0.1.12-8000- 23542300x800000000000000066791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:57.517{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309698A6C7C29B94469089CECE11CC5B,SHA256=C4FB1AD9DD53D540930A126A60FB5C75DC52C9675C717867A280BA7443E146FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:57.774{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195176FBFEE15CEA531342B8DDAC4AE4,SHA256=C8C73E737103E58F02D2E6BFD6808A0C5F8169C5B003861FDF9DAC2EA51512B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:58.728{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE2306B8A86E3E6118E88F7D004C256,SHA256=4F491CF56341E2A3780ADC0A65FC364C6565D7FEB9B479FB2A2805CA795D8C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:58.877{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F93E513EB1B552614078ABA4F7C041,SHA256=F07710CEAAA803FC0CE613045F00FB83E2B114ABF0ACA92971BFF15017B6146D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:59.834{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE4F55039636A2BCF0A0F34440DCC10,SHA256=B66E6E50730B3ED04C67248840793FC58C7494348E42DE193B471737B42CE2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:59.975{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA929F093DC8DC5B0F3574AFB9FA272,SHA256=0DB8BD52CEFE505CCF9D9A2A1027F9893258117CE775ED064BC69E722F86748E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:59.521{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:59.555{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000066795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:00.301{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F5D7B6615C17DE72842384E729C00A21,SHA256=D98A23DCE3EC4C54BD14773C7546DE6C8791B4B24BB4B6BD949140BE9D24345F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:59.048{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50261-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:01.051{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9A0CC60CED872A6CD77F599FCD23E2,SHA256=BEFB13702D8E007C258507218EA01D9ED8919B3D5801C8333099F964EEC72094,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:25:59.204{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49387-false10.0.1.12-8000- 23542300x800000000000000081457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:01.061{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2616E9EED90258E65EB62C4EA4FB33A,SHA256=F23D9A899D462D0227B15D05165547B3B059ABB79CB379B8DD65C7F2A03B4B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:02.152{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3F2A49C725CACBA6BB6F999E435ABE,SHA256=E742F9D36EBE265CE4701EF3BEA58AC4B74B32FB711E64DAFA48D3529677DDB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:25:59.506{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50262-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000081459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:02.156{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4079F3B680EF2EE109C772316EC62332,SHA256=2AFAF228AE9F3A6199BA0EAE96CC1B305C6F39FCF9164C1A3D0E2045020FED7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:03.147{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEEBCA14C94B03DF56E696373A4031A,SHA256=FF2083FC6351D683DA417EFD0D58B04ED80D713E480699705E8244B714286CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:03.257{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA9D2467D7369F4E3E2590B0EAE721C,SHA256=FBE6176458B0092386D9220E629D477094A942272CA1F1EC1843D09BEC67F0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:04.347{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EE219167F71EA9C3CF12B72BA95562,SHA256=05C0C5EA6151411FBB2232BC50B078F42266DD178F3466C0D26DAF34B40E3D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:04.247{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D338C8D7CC8ECA0D17E2FE92E5DE52FF,SHA256=8FF0F08AA307DADF94B1DCFACEF7D11E5DE548263D67FFFA53FD6D4F3300E45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:05.445{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D521BB8790A9EC9379F514E288D6D2B,SHA256=A1AAD5DD6D5775460EE6E465E969F539E30F8FB2067788CF66AC6F17BBB6A677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:05.335{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D2FAA0808837BB112D90BD45E9B861,SHA256=4D329EB92B89862C8C3A15772EAE4BD916D36B3D361084C8DACBD365519AB291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:06.757{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328B550408C60CD576CE6ACCA6AD5422,SHA256=EAA2A837E17F8A1334041F3A42ED873DC03A49C0739542FBBBD21E61C3EBBAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:06.404{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22858CAB805E582A003AD05F85C4948F,SHA256=D00041F85D14C4FE7A2A0CA4AF95A99619CE26FC5387FC6F0262DEF570EDBB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:07.864{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20392BFDC2C5B4020436D444E7BD3BF6,SHA256=3688BBCF186571EFF453ECD2107B99828A582B70C5863690C8F66B28AC4788AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:07.502{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA274AE5053A35A34ADD16A41CEE3C8A,SHA256=8630CACA2C7A46978577A97765AF7055E7E58B84956CD756FE30F2404531C68A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:04.336{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49388-false10.0.1.12-8000- 354300x800000000000000066804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:05.049{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50263-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.955{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A329CFA584469F67AE79C82A1E7A784D,SHA256=ED5A7FD3512331E8432445A45E08D3CFAC3DCF80FD345593407CA54F88307719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:08.594{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222802BE0CBD79A90209A4AB24A3D2ED,SHA256=0D693AB0E066F00BBA890A49146EA1B5816896EB8A23EDC266A5CD57AE734773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.212{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.207{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.202{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.199{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.196{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.189{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.185{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.183{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.180{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.175{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.161{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.155{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.148{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.140{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.131{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.097{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.086{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.077{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.053{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.046{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.006{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:08.003{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000066808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:09.705{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5065BBBCFE23E6BD98C31252475229,SHA256=7DEAA6542915D0BE753764437B002CF2AB63FDE1B73020A704BB8F1AC852CCD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:09.347{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-044MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:10.900{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603E28947E46B27B57E6C6296AE47570,SHA256=36AAF83A2A0BA13857DF9401625534BC3EDCF0F5A7C5DA3EA5F2589059A0DF48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:10.666{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:10.664{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:10.256{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:10.251{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:10.244{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:10.230{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000081489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:10.058{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB918F52F2532965813020424F84CA2D,SHA256=B232B0484C153B55C1D10742F8F35CA93A7AECB93B99B72108990E58291D0E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:10.345{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-045MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:11.303{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000081517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:11.289{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000081516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.272{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 13241300x800000000000000081515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:11.271{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000081514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.263{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.259{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.258{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BA01-00000000B002}4944C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 13241300x800000000000000081511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:11.256{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000081510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.227{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.215{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.200{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.195{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.193{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.191{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.188{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 13241300x800000000000000081503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:11.184{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000081502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.184{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.182{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.179{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.175{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 13241300x800000000000000081498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:11.175{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 10341000x800000000000000081497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.174{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000081496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:11.125{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6889B3AE97A86FD0557B1EBDF60F30,SHA256=B628200E81214F5BC59A8C94B14F1EEBC64B15907E12E97B410B612A5CE342BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:10.049{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50264-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000066824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.339{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-77C4-63C6-1D02-00000000B102}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-77C4-63C6-1D02-00000000B102}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.335{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-77C4-63C6-1D02-00000000B102}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.334{F6EEFE7F-77C4-63C6-1D02-00000000B102}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:12.111{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EF65333F0BC56ACE7634CFFC9DD03F,SHA256=0174A5864280F13D0D919349802096CEE83EB7DF241A9BBC78AD727D53952D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.993{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.993{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.896{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.896{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.896{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.572{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.572{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.572{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.572{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.572{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.572{F172AD64-7634-63C6-B901-00000000B002}49006296C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000081520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.501{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe8.48Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=4F10934BC823396BEF7BB3B1A8D8D7B6,SHA256=6EEBED1FD47637616E93A797FE061D6504AD81454A822EC3BFD172A0F922C884,IMPHASH=8EC2FD92F1BD9347B33C3BF11F5A195A{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 23542300x800000000000000081519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.209{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4700A857D7DC070DB250BEEE2C410E,SHA256=13AAE4D4605F67A972AFCA100A62DBAECBFBF04510AE8AD988BF62F0FAABD346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.538{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15E49D5CD4E29128457C9A64B41EAA5A,SHA256=B921728AB8DEABA5CD1F48B0C8031602CB7285BCC519B3373881EE5E0688EE72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.381{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927D87F29E5140615F309D898DCCF973,SHA256=D849088329BFF5889228D40CC3E4465C605E843A07C91E5D7C0B56DA1557911F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.331{F172AD64-7634-63C6-B901-00000000B002}49004828C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.331{F172AD64-7634-63C6-B901-00000000B002}49004828C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.331{F172AD64-7634-63C6-B901-00000000B002}49004828C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.331{F172AD64-7634-63C6-B901-00000000B002}49004996C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.331{F172AD64-7634-63C6-B901-00000000B002}49004996C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.331{F172AD64-7634-63C6-B901-00000000B002}49004996C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.331{F172AD64-7634-63C6-B901-00000000B002}49004996C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.504{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.495{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 23542300x800000000000000066865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.488{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8B0E1A52196A63496778FE1A70051533,SHA256=1F46FB0DEB655374E856E730021FA1BA6D8BE4CD0BEBD806B6A4F5CF08FB22A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.460{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.446{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.441{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 23542300x800000000000000066861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.402{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179AB38054F4ACA2556C04D07750D24D,SHA256=934D6BC8A9EC86BBAA2193C47C153D1FF1542E81DBBC1E3C617ED082CE6AEFEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.383{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.371{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.355{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.349{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.342{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.331{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.325{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.323{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.312{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.309{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.280{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.248{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.237{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 23542300x800000000000000066837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.206{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BDBCB5571BE965307DAB2B3ACB48E8,SHA256=3C33560D0AB8A3278DB37B7E20087B0FEFE4238B8C71EF3A9F854E81A95B8972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.188{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.178{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.161{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.152{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.142{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.116{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.108{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.096{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000066826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:13.092{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000081555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.221{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-77C5-63C6-2002-00000000B002}5956C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.221{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-77C5-63C6-2002-00000000B002}5956C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.190{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0BC507B87BB41F4B6FB36D741E3629C9,SHA256=F7AF4503582C7F64E6466C1FB3A27243ABC31474E4E3210E5F455A85965CADCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.143{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.143{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.140{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.140{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.125{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.125{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.079{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.079{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.079{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.068{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.032{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-77C5-63C6-2002-00000000B002}5956C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.031{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.031{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.031{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.030{F172AD64-77C4-63C6-1F02-00000000B002}61245996C:\Program Files\Notepad++\notepad++.exe{F172AD64-77C5-63C6-2002-00000000B002}5956C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\SHELL32.dll+599af|C:\Windows\System32\SHELL32.dll+5983c|C:\Windows\System32\SHELL32.dll+5958c|C:\Windows\System32\SHELL32.dll+125a17|C:\Windows\System32\SHELL32.dll+125975|C:\Windows\System32\SHELL32.dll+13e81b|C:\Program Files\Notepad++\notepad++.exe+14b459|C:\Program Files\Notepad++\notepad++.exe+1a2a17|C:\Program Files\Notepad++\notepad++.exe+36d842|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.030{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.018{F172AD64-77C5-63C6-2002-00000000B002}5956C:\Program Files\Notepad++\updater\GUP.exe5.24WinGup for Notepad++WinGup for Notepad++Don HO don.h@free.frgup.exe"C:\Program Files\Notepad++\updater\gup.exe" -v8.48 -px64C:\Program Files\Notepad++\updater\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=AD1B5B9F22A4EE6515E5D2B2E59D0E8C,SHA256=D221DFDEB2016D5D24E0F6AE14ECDA84E0F0F8380F02A4EDAA45A354E395A981,IMPHASH=E701E8EF4E4DC8123B85C54C8532ABB5{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml" 354300x800000000000000081535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:09.349{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49389-false10.0.1.12-8000- 10341000x800000000000000081534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.011{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.011{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.005{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:14.527{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000081567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:14.527{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000081566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:14.527{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000081565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:14.496{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224BFCED2A8987E108E7F439063F5E1E,SHA256=AF6D46B1DF104B3907AF2F70146E33330B8701B84551B09D598360B4EE2353F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-77C6-63C6-1F02-00000000B102}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-77C6-63C6-1F02-00000000B102}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.978{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-77C6-63C6-1F02-00000000B102}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.979{F6EEFE7F-77C6-63C6-1F02-00000000B102}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.424{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.424{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.424{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.423{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.423{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000066883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.423{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000066882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.313{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=86A850AA4958194CA75C94BCAD716A57,SHA256=9E8278303DCCDD0F0D2A18BA2F1CB4181B8810B40A1A049EDB649D3AC12A2A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.310{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14C6F27D00FA0DBF60C635F6D27ED8F,SHA256=1B0909F6933C3AAD6A6208CD3D79DE7F1B25B7391EB365D6EE314970F8077B97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.295{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:14.294{F6EEFE7F-77C6-63C6-1E02-00000000B102}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:15.465{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9768A1ECAD6CEFA7D29B90648DFCC419,SHA256=54F8FEC59E80B7C4B957AAF6CB02505D372F42C82EA63C49E10810BA3897A025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:15.587{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7BE00A5B4E9329A67936300DC1D471,SHA256=71670ABA104AE4F2A9226E0B99FBB69B6FE3F4A3E3A810661D2B84CAF20DE584,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000081575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.268{00000000-0000-0000-0000-000000000000}5956notepad-plus-plus.org0::ffff:2.57.89.199;<unknown process> 354300x800000000000000081574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.370{00000000-0000-0000-0000-000000000000}5956<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49392-false2.57.89.199-443https 354300x800000000000000081573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.241{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local58560-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x800000000000000081572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.241{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62132- 354300x800000000000000081571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.240{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62132-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domain 354300x800000000000000081570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.236{00000000-0000-0000-0000-000000000000}5956<unknown process>-tcpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49391-false127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49390- 354300x800000000000000081569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:12.236{00000000-0000-0000-0000-000000000000}5956<unknown process>-tcptruefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49391-false127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49390- 10341000x800000000000000066902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:15.213{F6EEFE7F-77C6-63C6-1F02-00000000B102}49325656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:16.803{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B8079CDEE972801E4C94F90864EE3F,SHA256=20A8B9F3BD592449F4C4EB28A6390A2A6A574730E670144F30092A4EB9BB0C26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:15.056{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50265-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.602{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370A318CB8A6671DA534B4576789CDFD,SHA256=C3D9322911999CAF5042AB43E1000512DD1F2E81830E086BF79A539EE7948BB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.472{F6EEFE7F-77C8-63C6-2002-00000000B102}54804328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-77C8-63C6-2002-00000000B102}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-77C8-63C6-2002-00000000B102}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.237{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-77C8-63C6-2002-00000000B102}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:16.238{F6EEFE7F-77C8-63C6-2002-00000000B102}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:16.281{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-044MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-77C9-63C6-2202-00000000B102}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-77C9-63C6-2202-00000000B102}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.886{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-77C9-63C6-2202-00000000B102}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.887{F6EEFE7F-77C9-63C6-2202-00000000B102}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.694{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509B1EA6346AD7AEC803148A5B59FBE5,SHA256=0777A255ACC1A0BBCDF7B0286F23B3D9C6F8ACC78287FC0258E7E1C5CB2F5167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:17.916{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E675DF8BAEF69FCBE46EB34A503E0F8C,SHA256=89DF90D4CEB3C19469CCC5422425893A34DFCC63B9FE2B8A75AB9C16D622446E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:17.295{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-045MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:13.959{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51208- 10341000x800000000000000066933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.538{F6EEFE7F-77C9-63C6-2102-00000000B102}49724636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.334{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-77C9-63C6-2102-00000000B102}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.334{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.334{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-77C9-63C6-2102-00000000B102}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-77C9-63C6-2102-00000000B102}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:17.332{F6EEFE7F-77C9-63C6-2102-00000000B102}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:18.778{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957F18E817C5F41F15A50064069C4915,SHA256=8E28389009843493E4861FF978E67E47C51B4BB68B16CB1E44C20A6A8F8C2A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:18.624{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B994FC97F7B2303E7EB662086BC40209,SHA256=B3442D6141CC0380127FAF6E6DE1F360E1B4DA68D8792D65FC0DE427DC4E5F4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:18.042{F6EEFE7F-77C9-63C6-2202-00000000B102}42043520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:14.370{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49393-false10.0.1.12-8000- 23542300x800000000000000066964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.865{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255FE1EB942992E3FCA1DABA49F229A6,SHA256=7C1CF993CEE4183DEA33F9A8143E88FAECCDA2F75DCB03C1227B6092699CD34E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-77CB-63C6-2302-00000000B102}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-77CB-63C6-2302-00000000B102}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000066952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-77CB-63C6-2302-00000000B102}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000066951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:19.498{F6EEFE7F-77CB-63C6-2302-00000000B102}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:19.022{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0BC1E08E3383B16672D0F25B8588E0,SHA256=E6150518083F84E739214608D7CA5C435A55318447E922D9CC3E220F86C18A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:20.950{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DBC2835B2C960F3AA763E1E1B7A21F,SHA256=1F3F20D1847737C789C0963D288902FE553CC4449AC36DCC67AD22E3D221B882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.905{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.905{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.905{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.905{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.905{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.905{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.905{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.905{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.227{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-77CC-63C6-2102-00000000B002}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.227{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.227{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.227{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.227{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.227{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-77CC-63C6-2102-00000000B002}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.227{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-77CC-63C6-2102-00000000B002}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.228{F172AD64-77CC-63C6-2102-00000000B002}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.102{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E69BC60958A53BB2BBBA6E1AC0D3AE,SHA256=183802BADD1A2A6747EBF39B0524A05E8C88E1B137F6A4312F2F31F4BD009D5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.870{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-77CD-63C6-2302-00000000B002}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.870{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.870{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.870{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.870{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.870{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-77CD-63C6-2302-00000000B002}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.870{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-77CD-63C6-2302-00000000B002}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.871{F172AD64-77CD-63C6-2302-00000000B002}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.375{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2BAC904C555AE2FCFA1CA4DBEC838421,SHA256=E97FF05255B0D0072BC7786206C996B3C8B402F3F794438D8512F33850AE85A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.295{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D04C6315DA04CF327125C37F5C24EAE,SHA256=0076725AE5F75D80905550829CC828D2BFF8D7E07F8FF027D5EE82287A9B3C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.200{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928ED81201B367078655E1B68E25D64A,SHA256=C159E7F16F250E62A143F9C98EE506625EE221D69189882F7BC8C5F560F6E858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.194{F172AD64-77CC-63C6-2202-00000000B002}59045624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.190{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=46E025EACE70EA5DFE30A040DEA91F18,SHA256=07FA6ED736B19AD53FA847CA0B29C436F711AC6646AC541CF0D5F5FE0E894053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.176{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.176{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.176{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.176{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.176{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:21.175{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77CC-63C6-2202-00000000B002}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000066967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:20.255{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50266-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000066966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:22.139{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2B19B33B3D3BE19232FD10545BDA9C,SHA256=D6AF94A8781FB9C059C13EB1FD08BB55A40D47622CAA566003C1D4B0F8E54A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:22.197{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05801E449CB448E95B16D58BAE2B11C,SHA256=9A3A95856685CE12AE4C0E3925B0B4741BCA1C0A5617F4660C16511DFB0FD8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:23.293{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052E10FCB78E75ECDFDC6EE41E2D56DF,SHA256=CD5763A23C9C852402A9F5D1CB6F97A9E3D27FB1049591F5361557A4ACD15345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:23.219{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021AE86EB48D4529E8266984FAA01818,SHA256=09625A1CE69D8BBB1F83EBCD4B10260300F14841CBF29C74F536EA8B4F9C2756,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.714{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49395-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000081622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.714{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49395-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000081621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:20.382{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49394-false10.0.1.12-8000- 10341000x800000000000000081634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.544{F172AD64-77D0-63C6-2402-00000000B002}42404172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.388{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94577C794B81A1A7D6DB0131C961D409,SHA256=6E8B7CA700129982DA84CA06215C53C88712666C1F5EE52186733BC01A7FCA66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.354{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-77D0-63C6-2402-00000000B002}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.354{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.354{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.354{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.354{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.354{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-77D0-63C6-2402-00000000B002}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.354{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-77D0-63C6-2402-00000000B002}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:24.353{F172AD64-77D0-63C6-2402-00000000B002}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:24.320{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEAD30957950759CBC4B17B96677FD7,SHA256=BA7B6A3665FAA56CE9E30958BF87A19537D52FB619B3C8A13B6DF3C551CE567D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.917{F172AD64-77D1-63C6-2602-00000000B002}58445292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.698{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-77D1-63C6-2602-00000000B002}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.698{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.698{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.698{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.698{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.698{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-77D1-63C6-2602-00000000B002}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.698{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-77D1-63C6-2602-00000000B002}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.699{F172AD64-77D1-63C6-2602-00000000B002}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.480{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC74D74C41A722F69D1307BB584A340D,SHA256=C11A6D97ED81B4DBADC62A44F23E6524B984D826AD74EFFCCBE92F55B8D239E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:25.398{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449BD648C052B4416A15955C73997188,SHA256=BCF51EF1CFFC8E5F8641F5BBD26FC019FD690FFC2F0AA5687CB50B135EAF7983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.232{F172AD64-77D1-63C6-2502-00000000B002}55285240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.223{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.223{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.223{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.222{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.222{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.222{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.028{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.028{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.028{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.028{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.028{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.028{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.028{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:25.029{F172AD64-77D1-63C6-2502-00000000B002}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.857{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6989225D1121606754D717BE5ECBAB28,SHA256=79CD0EE445440CA7FBE8BFBBC17C40AAF26BB866BACD033E5D58DFF1CFCBBC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.779{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-77D2-63C6-2702-00000000B002}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.779{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.779{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.779{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.779{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.779{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-77D2-63C6-2702-00000000B002}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.779{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-77D2-63C6-2702-00000000B002}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.780{F172AD64-77D2-63C6-2702-00000000B002}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.576{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E38DA974966707DBA33B10F18131B38,SHA256=675BC903A96EC34937AB4B4FC3C69587369F6DB46881F7B2E9DE90E3E6D31E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:26.483{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2E0EB202E038C280CE478240E0D403,SHA256=69927643BB172BA7BB51067CBD6DB1420D4D0206BA3363C2DEC5EEC0FCA1C7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:27.576{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603766DBF6214AA9232D85ABBAB4BD0C,SHA256=2AE315861B881A25D6E9FCC338014D293BF3C715076704B64CD839004EC3BFFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:27.664{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4713330BA011BBFE5DFE1F738A7E8F81,SHA256=3B3B1EA418DF9038EECDDD88F09AB21C9273C059220415DFD44447AF5747802F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:28.673{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B032C91C925EBAFF5C7DBBAE001ADC3,SHA256=47205F4A3A0E7C053E28A4A14D99656BFEF3F7BC930D287C43B62251C75A390D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:26.027{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50267-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.748{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D5C680CF55D9FFC624A424874D7CD2,SHA256=398D15D5739CD00EB6E44F0C82D6222745A95A2AD14F8DDA9C127F691DD12EE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.219{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.215{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.210{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.207{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.205{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.199{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.194{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.192{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.189{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.183{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.171{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.166{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.159{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.151{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.142{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.099{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.081{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.074{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.065{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.052{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.007{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:28.003{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000066975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:29.759{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9B35689A5BB0733EFE29C2EC8183D0,SHA256=FB0F42056BC7B32B75AD16FBDD31F059AF552695EB9FB48014FEF3C4E124F434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:29.830{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1794AE82ECF6941FEA2078EC4D5A1FF,SHA256=E221975E90715A3984BD76E0857A845124D942103ED709A240C136D0EC849407,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:26.383{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49396-false10.0.1.12-8000- 23542300x800000000000000066976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:30.839{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722965389EC3E0944A4BF29D222EBFE0,SHA256=DA2B8F8F3CC5C78C1F8ACA80ADC389C16F4040FAE500750B99FBBC89E670B728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.984{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.889{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6B5075C89E9252AFBA80CA1BE55128,SHA256=BBAB1CB087540005A096B7208D7BCC333EE088723AB13453FB289F4389100783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.646{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.645{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.274{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.270{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.264{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.252{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000066977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:31.932{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C742D30E0A77B6794CD670616708081E,SHA256=762B1C097A27D11A993BF26D3FA7A5FA9357960C97157F5A0C955D04A171D29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.961{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C67A9756801353F2C9C1FAA36CDA1B,SHA256=34CBE731520080ED43211BCCFC985C1F30B75392DC8E299A9E47795963617890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.262{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.248{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.239{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.236{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.207{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.201{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.188{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.183{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.181{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.178{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.176{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.173{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.171{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.170{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.167{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:31.166{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 354300x800000000000000066978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:31.185{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50268-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000081722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:32.529{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92a5e-0x2b43beb6) 354300x800000000000000081721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:30.115{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49397-false10.0.1.12-8089- 10341000x800000000000000067018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.450{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.441{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.411{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.400{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.397{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.369{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.361{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.328{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.326{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.323{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.319{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.316{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.311{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.305{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.303{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000067000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.301{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.261{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.234{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.191{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.183{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.165{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.153{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.131{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.113{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.089{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.081{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000066980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.077{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 23542300x800000000000000066979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:33.035{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCE73A6AEABF6FB958EFA2053E039F6,SHA256=0B9CFB8CF416FB3701C7A99976C9DE910166A424A6EEBE850B877FC9F0B804E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:33.060{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3132F61252438E36E1E638EAF18868E,SHA256=930327642CA4D53B0AF699D2EAFF96D8A5AD39E627DF8FE93F41B5B2FD71A427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:34.432{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5778D42CFD05E76D12DA0F9836C28E51,SHA256=4C5C947C055986CBEEDF12E26DDDC2134DE8401A0A56F44025D4E2F8CF8FF008,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:32.224{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49398-false10.0.1.12-8000- 23542300x800000000000000081724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:34.146{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FB9687BE8CE0D6624952E2B3DAF1C1,SHA256=922ECD259575985564666F0E59D25CFA34E9B043951C61AE540FC1E16646BBB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:35.540{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E683BC8A176E6B4BF7D9D9A13F59C50A,SHA256=7540C64331CDDBC66A54935DF50A5B2B95FF87E2E52CF3B0E092665020C17803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:35.251{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987828FBBF4757A28A892A6228DC2D54,SHA256=40C8CEBF4176D93E86ACFB1A349B3B190451EE7DB7D42FB1AA4342BEBCE533EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:36.626{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354C4CD05B4CE3AA392A7EB0268970CB,SHA256=C9084B558D57FE1142220EBC4F0C2155284BFFBB1188E200E2A12F5297270D42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:36.647{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:36.647{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:36.336{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5EA5FE810C2AC1ED694DE5279C9FFE,SHA256=B7111EE0F4AA97CE05E29BEF97B8E23245FFDF1866714F8DF2096022A5EE5AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:37.708{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC6AE914BB78CDA68306C9D89FC0451,SHA256=AB22614D5846BF3AB753C5342D5917E295BC053D411B50BF99F8860FF277FEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:37.435{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B238C286E01E4CC898DBD6DAC977A6,SHA256=2B7C7EDE706E57BCE14EB2333F9CC5F497545C957B113D7A861F1D41D20F6860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:38.812{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525573BD1DA00C3B23B435D186270B36,SHA256=5F496D4849FF663D37F30985327F8163CBC68643BC997EF2C061578A09EBBCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:38.526{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F87AB7A8DEBA66A9767C23F0642813,SHA256=193B97C1C5608CFBFD2090958058AE206289884A840CEC8324920513248260C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:37.113{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50269-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:39.616{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AAB95B8EBE5F646F07B9105057304A,SHA256=5B8956D8CFD56FE13254D89004066C4086CEC3AB49A1104C63B7105964DE2823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:40.990{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2859A86D9013EC211196D2CFA903E2CA,SHA256=2ED0EDBD5D88DEC31D72BE69695B8CB0634FF9201811E74CEDF0A433614685BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:40.705{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F60A6CCBFA3399DC113487EBB3DDF,SHA256=6F22E50CC7D9B2740E1FF26FC0C2F587BD6D47849EB37BC9F4F8C0FFBAB9F34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:40.012{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685990A2A34C90E9BE64D65490616AE6,SHA256=613310A174E8D5D72E32EEB8DD6DDAE73F1167FA538A79771B761F7CC83A6B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:38.213{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49399-false10.0.1.12-8000- 23542300x800000000000000081735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:41.812{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A585CF626332C31D22D8D1D969FDB562,SHA256=55F04130F1AF49C30A58A5643D02861CC5EC8ADBD35E2C2A018ADB91DCB03AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:42.922{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F783F159CB49D79D66640290F45D02,SHA256=ECA2B0ABB09FB0A0C4066EABEB18AE68D57CB22799046A8E44908F2A670D24F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:42.080{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF8276D503B634890CD614C3C88439F,SHA256=D959F7B92405879390C09BAA118293861A0AC772742D1AEA4534A4F628092A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:43.169{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E30161225FC1D1820ADDB58ADEBF279,SHA256=DBA8F4910CA7F3AF43093B2C31F71A60FFE369254F887A05EA9A56F0A8367C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:44.429{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=490EC89201DB9F167229E27F124D309F,SHA256=4F719E09ED406BC31C90F6DDB8436194A2EAA6FDC371202BEFB8CDBD6981B12F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:44.269{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859D357290D1C34BC9C3C63644B3A4EB,SHA256=9CBD16A416ED6000228247D0D704215B48E2F73067EF4D5A6AEB76F5FBECFEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:44.011{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B59F5A7FC715F9907437FE655CF4B94,SHA256=A1FC64907A3002F9DEC4C0E98F9A2FD2639F34C2183409EF9819266C152469BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:45.351{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B236C46ECBD311BDD4C1D9F78618CD2,SHA256=136407811198662B449C62336C91ADE9900BB443E2C0DD5543A66DFF495B01ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:45.118{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38132E5CA306349E87376D7078D06664,SHA256=9CDADFDC68FB6F6F296195532A1E48678D5FED9828006A91C22FFF0DC231E348,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:43.105{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50270-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:46.424{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D402C0000F65FB94EBD9A3CF76E44CF,SHA256=15994724FA9E5400B2C2B7885C1BFDF40F6B071613A02F7571DF59C5504363E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:46.225{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A80CD295B14F117EEA02796B79C70CF,SHA256=D3E05B4BAC374479B439787BDAF129863C993C5CFB34D382D1970221E2772847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:47.624{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6E121EAF54C3661C9860A290F3DD19,SHA256=6EA39C4E5BD270C16DD5EB5670C30A4D156A3AA37E92600D8AB780C310FB3278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:47.329{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A704670A23119CDD440626B5E65AADC,SHA256=71DDF4EF3171EF280A87987635BD69D5C3C4AE4F787162FAFB39BF4E8EA8F27C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:43.351{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49400-false10.0.1.12-8000- 23542300x800000000000000067035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:48.825{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723759BA7D9ED5EF90DF5593BED84E5C,SHA256=223103D582CE9BD58E471703023F26E5D09B5ACDD774D672798E2B21D4CE071D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.405{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D3CA35F21EA07D635C3C2B9C1B59C2,SHA256=292874A8C8D29B8EC6DF54DA4943EA53B04BBF1AD19379AECDFA1FAF11E13FB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.223{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.218{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.213{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.210{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.208{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.203{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.199{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.198{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.196{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.191{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.179{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.174{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.168{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.160{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.151{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.119{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.099{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.090{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.079{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.071{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.021{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000081742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:48.017{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000067036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:49.915{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67F342FD36FA41F10C055EF7988EBA3,SHA256=F9E9501A4CA38E92D48A4019ADD5CDCAA73D5763296BCC7AAF28E22C54D0D952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:49.508{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3507F2ECD878C9A5A6C1C151519FFE,SHA256=35036A96BFB529E20D3F83E3C3C17C3EB4B9CAC5825F3ED762DFA7B762A42F6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.800{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.797{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x800000000000000081774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.672{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2DEE29BC3224BC976376A8D154D751,SHA256=A7CB6BC6871250AB8E6BB17B05F9D1DA06F21415CC68AA960EAEF872BDB984D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:48.241{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000081773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.385{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.385{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.385{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.369{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.301{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.294{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.285{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:50.264{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 354300x800000000000000081796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:49.286{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49401-false10.0.1.12-8000- 23542300x800000000000000081795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.748{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523F7924BCB02FFA9939AE2AE1C8997F,SHA256=BFA347BDA6683646891730DA4E90554EEE2A395F6FE270259402350DDF37D903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:51.016{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF644075E2F9D584018B64970BC9865,SHA256=1F447798C542BBED1D14D74004D51D3A076857D1BD8B50A31030D680B62EDA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.576{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F6988C0E1D16FF045AB6FCA6ADA73F9E,SHA256=0C7E236BC1E17317B55875E363CC96CAD09D98E1D6E8D575A098B310F0A59050,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.396{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.383{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.374{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.372{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.346{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.341{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.340{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.329{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.325{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.323{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.319{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.316{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.314{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.310{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.309{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.306{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000081777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:51.305{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 13241300x800000000000000081804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:52.961{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000081803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:52.961{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000081802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:52.961{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000081801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:52.961{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d92a5e-0x3771783a) 13241300x800000000000000081800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:52.961{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000081799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:26:52.961{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000081798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:52.852{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423CC5449470B76ABE49E00505C2B3B1,SHA256=7CAE312DB72DE481A75712573B8F408AF5CDBF10A63C76CA7BD864439DD76A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.347{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.347{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.347{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.346{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.346{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.346{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.196{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.196{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.196{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6201068C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.165{F6EEFE7F-6CEF-63C6-1400-00000000B102}10281468C:\Windows\system32\svchost.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+dc41|C:\Windows\system32\wbem\wbemcore.dll+2cfcf|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.134{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.118{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.118{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.103{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.103{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.103{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6201068C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.103{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAB1A6291463D4B2CBFEE06A5B6D574,SHA256=E8D2FC9DB7A9614B8A8CDF547A5C7EC5DD8267FE060D0A5A0A99A390EADDA526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.087{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.087{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.087{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.071{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.071{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.071{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6201068C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:52.411{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:52.009{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6201068C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:53.954{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F76B9E7A04CDB30E6DC589603556A1,SHA256=2864C37E4149F8895BEA9E664A033523C2F175F65FD434C77D49F5DB2E294A17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.985{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.985{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.505{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.495{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.467{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.447{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.443{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.407{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.392{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.372{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.366{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.363{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.347{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.340{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.337{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.330{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.328{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.327{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.325{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.318{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.309{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.270{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000067077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.199{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B91D1262336EBBDBA2418ADEB731C2,SHA256=E294F91CBB151DE42ADA43A838D32F9360C2D6076C809BB0CBAE2FB8ABE09360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.199{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000067075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.191{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CDE9AE0EE9632F34995C040D99D7D22,SHA256=25EB7F954E78174EF6F7AB246BF8EB3FEAF4945BA995ED8CAFBCA294E7C1F2F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.188{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.178{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.169{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.156{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.148{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.107{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:53.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000081805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:53.419{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3BF08FB1C4618704292DD33BC8500DD7,SHA256=3A458FC7875D030531074E9E766701E8DE8611C564BFB4CF433DBFEC0BBC8DBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.576{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.576{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.576{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.575{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.574{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.574{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000067114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.440{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4917F9CC44108FD858BA3553F418154,SHA256=1CD1584C4CF48E514C3CEF56B67BE1C4FB216673B794F5FF23DEE07B6426B387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.117{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000067112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.117{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000067111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.117{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000067110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.027{F6EEFE7F-6CEF-63C6-1400-00000000B102}10283664C:\Windows\system32\svchost.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.018{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.002{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:55.995{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:55.262{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D43EA27D21AC38CB4AF0B9F115A2FE8,SHA256=1969B56DB2E90A54EFB9C633614FE57689E392D310595519614B7EFFB971FBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:55.047{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF27A916A1F40755E03AC8154FE34BA,SHA256=87BD43E69700305C6FD1FA656678532E1CBD38AEF4EB2D2C93E280666DDDE8E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:55.122{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000067122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:55.122{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000067121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:55.122{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 354300x800000000000000067127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:54.032{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50272-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:56.299{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6950DB2AB37379CEA29C9A189D8DF43,SHA256=1DB3B6DF6CF60BC75BDCD92D422AA008C060A00C5F4EC99C626BEACD42B73FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:56.139{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C267760C0861287B1D229CDDA2E713,SHA256=3D603A5BA0949E3F81F443CE468D5BE31BEDBC9FEF049664053D5BB304D72FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:57.507{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654480C6919EAE45463E8C5F2FCEFEAA,SHA256=3A8BFBBB7785165E5FD26EF15F92A05873D2111075E10955972EF2A5707400C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:57.237{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3DAC772875059714114E94473C76DF,SHA256=F7343BE8C04D132674D05B2BFF8D5480E83C0B95A3B5FB5D5302868E45AF2222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:58.808{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BA4BFDC7787668A80F8B94F8960F80,SHA256=A4417122A761EF3F0804E7F431F4E372D72306D7785F7343EE3A35058B83CBB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:58.327{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F660122E96F986ADFD3F57A90FF2F00,SHA256=D0099E97DAE39EB9A2A268E5AF4F71BDFDE6580D9FD7F698D22FBC5800A46A2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:55.254{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49402-false10.0.1.12-8000- 23542300x800000000000000067131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:59.900{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D065E39C1696A21D49D3AEAE22E2EC91,SHA256=730A2090BD33131F00C71D8E34C94F8D031A927A3001EFE16F2AD93D1D261CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:26:59.433{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DA9950961BC9CB89421B85A9872EE2,SHA256=4E307DF3B29F511A754C611483C0DE3573490CBD2F269490DDBA25EC108638CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:59.540{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:00.518{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D170B5D3C5E9F46E9B5353510FA65262,SHA256=DE0C8403B9740C3C0E9F0B1A1E1DCAA6AC890DE5AB7A8F2A830DE735431BB4ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:59.040{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:00.307{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=64C6CB019F7730973098DD11845CBC9C,SHA256=637D46C21423EEED162E494B7290F8A18CE5A1B6A3C4128F8602C8FA76BD3678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:01.743{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE15ACB00A876A91E2F599EA8AD161DB,SHA256=8BF11C777CD8D886B74ACC12550100E4AAFB51DBD6CACC2D9E3BFD495600C54D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:26:59.523{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x800000000000000067135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:01.213{F6EEFE7F-6CEF-63C6-0D00-00000000B102}7644104C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:01.010{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B33C66A50AA6B88B035466517677B64,SHA256=756FAC02AE6723DB725FBCE35996696737517722483B45F1F9A9610D47CBC143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:02.827{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3C738C7C67759818DA50611827C379,SHA256=3A7D8B125D84F08FA1F7577BAED6F07164EA39349376DE7A55C418C9782D2403,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:02.849{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:02.849{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:02.849{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:02.106{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0474EE01AFD8E991D379DEBACC6CB57,SHA256=C439911F0632FE17A9D212F49C29926CD9BBD6038434937D5D82B7A8506A89D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:03.918{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401CC17A23CC92AF2D985B3C1AA7DCAE,SHA256=34FC708BF7F708EFC543168112E5564348845662CBE22FFFE4863EB87C9FD29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:03.209{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8B85B840445CEC2A7D092BA0363992,SHA256=98FF54FE89CA505A2344CE86E12A4923841AF3705FF452784560B6D89703CCD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:00.338{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49403-false10.0.1.12-8000- 23542300x800000000000000067142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:04.301{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FBCCAA0963B4D11AC1D04EEF220B08,SHA256=554F21EA8A512D1D30578F01C68BE39D51ABE9D13BF2E7BFD72DACB4A40DE7BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:04.064{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:05.398{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B30959AB9E643F105876700F745712C,SHA256=1A85BC174CE34AAE24E01E9391252905506E219E6039E522DF47E1938CD33B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:05.017{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D89FBFED052D3CCB88607600DC04B1,SHA256=BB74D8F0BA760C783D5C8E35545E29BC18F26F9346A6E9982BB401D5081AA319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:06.488{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5FC0321F9EEFB82697B1601F4D0610,SHA256=E269FF6E5A046F900452202C629589994535939127327402E924BA39388A31F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:06.103{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378F930B0354DF1FD83DED426AF5CA0D,SHA256=46F935305F64246BC2F1D8CE729DF08C9FB18B8348D5D87A89E6482225F66135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:07.584{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC6960FEF4309FEA9057596C926AC9A,SHA256=F0ED7FEE9D4291FE028EC6569B01F3CC1CABBDADEE1C604DFC8AB5DCCA9C5978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:07.196{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAB8B835B9031D2ADB2DB72789C845C,SHA256=F73D8916160F541A92137B1CDA3ADF0BEDEAD2AAA2F7C6E678DC7E83D2227E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:08.796{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1A8923CF334F5771368073FF000BA4,SHA256=F309D16F2A7B012D02F4366A04E50CDB32C51041EA9A00AAF3558B1378B5B82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.275{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE2C8363B26D3B2E30692EDEFAE70D9,SHA256=945825EC052F2D785A86FC3822D7793766E3410F2866CE0712907150266D7487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.220{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.216{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.212{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.210{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.208{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.197{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.190{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.187{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.184{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.172{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.160{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.157{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.149{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.141{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.133{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.089{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.074{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.071{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.061{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.053{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.004{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:08.000{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 354300x800000000000000081845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:06.295{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49404-false10.0.1.12-8000- 23542300x800000000000000081844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:09.263{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038CAD9E615F93102A9C4A69B7CBB104,SHA256=8267E4305167A6E492AB27987313601E9391BDCCD3DBB7B0D1A52A081ED4B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:10.857{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-045MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:09.999{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2F3C89F0B78A348ED8B050CB597F52,SHA256=43F1D9A6AD75D6A830F15540687CD3158F87AC007C76038EF04160D457030B89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.784{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.783{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.364{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65BD86E35934F83C385DDF5127C151B,SHA256=BC3EF5E670A2025C6E1954BD27A11A582A4979FC275547EC7496C63B82FE0AC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.293{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.288{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.273{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.262{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.262{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.262{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:10.259{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000067152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:11.861{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:10.074{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:11.184{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E03A7B8262AD4E81CA1D3489F7CE65,SHA256=BA3E14954821CCE4A9F2329DBBBE3C413EBA22341586DEB71C501E0FBD781B37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.397{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.382{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.372{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.370{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.334{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.328{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.316{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.309{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.304{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.302{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.300{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.298{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC67323F8D0CCFDC1832522A6D2B52E6,SHA256=A997308E6310E406BF6908D669A402B3616859F84548550D6DD5688240FB85A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.297{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.294{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.293{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.291{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000081856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:11.290{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000081873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:12.380{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DABDB4EE49F5BAE26F39AA834DF655,SHA256=F7BB68ADB0FCF55893FB5ED1475CD9CC415331BA678FFB203321B520180D43D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.666{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7800-63C6-2602-00000000B102}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7800-63C6-2602-00000000B102}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7800-63C6-2602-00000000B102}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.330{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.331{F6EEFE7F-7800-63C6-2602-00000000B102}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:12.279{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0500AA72BC463D53CA55714304882B,SHA256=EB1AA29044D28E4A07675DF6B00CEB5602F18A7787F5936E0686B57F8421F49B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.980{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.979{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000067239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.491{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331BCDC7540F76F19A52B1E4B3C69183,SHA256=0107EF001023A846FFDC6D2C127C56167DF68218CF6C4DF7D03DB03F070F9F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.461{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.451{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000081874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:13.485{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFC876F2D711B0E80F67885857FBF18,SHA256=A882EF2A4CCDFBC1DE8F894A694D9ACE12379CE288F8D05B53C61BE79346AD5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.427{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.417{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.415{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.392{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.385{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.368{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.356{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000067229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.349{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=585A0884230FFA5BB0758F9CA2C2457E,SHA256=E59204F9FBA1A5EEC335B45015DA4F01626AC3B52EF99F2E5D70E43E53A2538A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.349{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000067227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.348{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ED54AAA39EC62AEA3ECFFB92AF7C1E3,SHA256=B86B6F59F4CB0C2EBAEB131659986587B714FA17282D47C07C6A6CA0DA06BE7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.329{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.316{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000067222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.316{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EE642CD179225671B6052B44742361,SHA256=98BD549EC74EBE34F2D6BC66F548AA3B94982FE6208216309B043D4B6BEA90F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.315{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.311{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.301{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.296{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.292{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.251{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.222{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.212{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.155{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.150{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.143{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.135{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.128{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.122{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.115{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.094{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.085{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:13.083{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000067269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7802-63C6-2802-00000000B102}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7802-63C6-2802-00000000B102}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.980{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7802-63C6-2802-00000000B102}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.981{F6EEFE7F-7802-63C6-2802-00000000B102}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.574{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A2CB56B4F949B558E6CDD029A44EA1,SHA256=E23C50723DD698DE0960BD7775FBC63AA25995041ABA603B280DE22C82DA7DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.574{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0CE7D456125EF128C1D64AD78B937497,SHA256=0D7DA70CB641B1499B11D0311CE76A8F1D1674B08A92982158C41E623EFFF17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:14.578{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D02C5CC9150375F529D6D0A7413E20,SHA256=575A2808B1178DDFE91AFD1DDE46A01E4AF0B5BECFFE0EE735A1F2488ECD380B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.307{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7802-63C6-2702-00000000B102}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.304{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.304{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.304{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7802-63C6-2702-00000000B102}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.304{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7802-63C6-2702-00000000B102}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:14.304{F6EEFE7F-7802-63C6-2702-00000000B102}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:15.663{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDDEE0892F460AA5E33E31878753761,SHA256=6D626352556A04813C916DCF44575D4E1C2F5A9469E8E5212B26E83C2AB5B926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:15.670{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C692E48FCEB1F212299D6DED50E62EDD,SHA256=FA54368A8C388B59242E4847661ACD96EA2630DC43AE6FAF7B1431999CCBE879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:15.183{F6EEFE7F-7802-63C6-2802-00000000B102}55044352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:12.229{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49405-false10.0.1.12-8000- 354300x800000000000000067293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:15.087{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.763{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCE0CC15F78D9FF87C1C6116D2BA80B,SHA256=6726B5BC7687504452760116CAE08F1715227C8CB3A65178C36CBB789E14A13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:16.759{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E70CE3B2EBEB88ECCB7DBA1530D13CD,SHA256=BE3CC160DE3A4A5C76F8C1FC48D872DA1C1138C705B27B9833805D16E2F9BFD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.463{F6EEFE7F-7804-63C6-2902-00000000B102}15962364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.341{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.341{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.340{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.340{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.339{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.339{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:16.237{F6EEFE7F-7804-63C6-2902-00000000B102}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:17.846{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5378A366F142D5B3617F186C317A8744,SHA256=35B89DFE4F715FC7F19858F9D00A6E2E0D7ABC6198A6EE756B05D43423AF185D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:17.818{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-045MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.540{F6EEFE7F-7805-63C6-2A02-00000000B102}39005612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.331{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7805-63C6-2A02-00000000B102}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.329{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.329{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.329{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.329{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.329{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.329{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.329{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.328{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.328{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.328{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7805-63C6-2A02-00000000B102}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.328{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7805-63C6-2A02-00000000B102}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:17.327{F6EEFE7F-7805-63C6-2A02-00000000B102}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:18.820{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EF147B4533BD756FD35FE7EE50B90E,SHA256=8B9D32561B452EC5F9F443900ADF6479BB0B88B0DB6FCFB5AB28ECD8D56B8943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.616{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BFF5AA4C89B9CDC54D2BAF29392A09,SHA256=6682B720B2E235571AD8C63B2335F162A6AF0522637799BE37EA435035145359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.197{F6EEFE7F-7806-63C6-2B02-00000000B102}50764728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.056{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222A4E0178DED44D1C6A0C3789125E01,SHA256=1850C5D2257D86380769AF5CAD42F0A06B48CCB7DD58B66BD28E67BACBABA545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7806-63C6-2B02-00000000B102}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7806-63C6-2B02-00000000B102}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.009{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7806-63C6-2B02-00000000B102}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:18.010{F6EEFE7F-7806-63C6-2B02-00000000B102}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:18.818{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:19.925{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAFBE351D291BCEA5D417F1C5D35245,SHA256=C1F2ECD42AA13C010CC17A000D5C7CE256E9093F80158F3C438A4948F8855C9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.511{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7807-63C6-2C02-00000000B102}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.509{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.509{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.509{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.509{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.509{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.509{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.509{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.509{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.508{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.508{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7807-63C6-2C02-00000000B102}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.508{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7807-63C6-2C02-00000000B102}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.508{F6EEFE7F-7807-63C6-2C02-00000000B102}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:19.163{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EA533C893377FA7877200D71C7BA3B,SHA256=F56824D804B65919909D5B668C8D5E8DBB3B45E252B923023FBEB0153602FC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.992{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0185C97330A3E897F53F2091F08EB2B8,SHA256=3D8D4B91980BCC2BBEA59E2A0401164123C7C49D233F9ECF54CB7FC8A453B7AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.930{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7808-63C6-2902-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.930{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.930{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.930{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.930{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.930{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7808-63C6-2902-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.930{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7808-63C6-2902-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.931{F172AD64-7808-63C6-2902-00000000B002}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:20.255{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C81951C644A3F8CE54A578B4EA213DF,SHA256=144F4C3B324138E76AABB56D9FB7471FE1CD7D15955D9319E8FAD9415A2D3DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.626{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0B5037F0EA590975D4EEE974854F7078,SHA256=D179FE4175FB6DE50561F0B997E3185DA2958BC628D137451E2AE0B2D7566C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:18.174{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49406-false10.0.1.12-8000- 10341000x800000000000000081891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.254{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7808-63C6-2802-00000000B002}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.254{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.254{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.254{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.254{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.254{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7808-63C6-2802-00000000B002}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.254{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7808-63C6-2802-00000000B002}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.254{F172AD64-7808-63C6-2802-00000000B002}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.977{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81E1AA7FE72A9666DB944AADF1A4FA3,SHA256=E1096CBB817F4CDB9BF8386EEEB0BC3C7EEFDEFA70999A26290830F8F2203793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:21.344{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3279B4B15748577862575B48BDEEB0C2,SHA256=44CBEB91BB10657B5A7AEB84C02E2282C162B3B378C7D0D3D33A6DA4414F133E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.895{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7809-63C6-2A02-00000000B002}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.893{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.892{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.892{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.892{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.892{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7809-63C6-2A02-00000000B002}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.892{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7809-63C6-2A02-00000000B002}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.892{F172AD64-7809-63C6-2A02-00000000B002}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.704{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2D300F007C48E7E23FCD3049D27D28F5,SHA256=5E6E9D592C0FC7C95DC6FDF04BF3DA7C2612828D344987B0CD69BB4159792160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.398{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=593A654091342F93CED98F0AEBA3FF5C,SHA256=4274BB04A6FA2421E375D96662FBA558572BA78719C455CB7D0B02C051987326,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:21.145{F172AD64-7808-63C6-2902-00000000B002}4004492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:22.438{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7393C5B32C87A33A7FAFD258246D8158,SHA256=8EE57314422F1996E34DA3A4AB6E9C58F4C9385FE9110158A5DB56B170913DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:22.350{F172AD64-77C4-63C6-1F02-00000000B002}6124ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:20.127{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:23.640{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B863C3EAFD3AF02AD730241A1444AB38,SHA256=5ADB1CD75EFE3BC7301A5A02644A32FC1CF3C064F3DF2856C2A95F7A847A4019,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.714{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49407-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000081917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:20.714{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49407-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 23542300x800000000000000081916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:23.081{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91986E641F8EEFDC829B4EE887C01374,SHA256=E5D4171669916F524C5C18A88BD150BB1D01954E7A0F6921F41C08A1E841C1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:24.745{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F208AEE02964F233E72DA84E8868C39A,SHA256=7A5A05FB27B6FA7349D6A307C053D33094AE211302D29B76E7DB1FA27C884D41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.528{F172AD64-780C-63C6-2B02-00000000B002}59284296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.371{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-780C-63C6-2B02-00000000B002}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.371{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.371{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.371{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.369{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.369{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-780C-63C6-2B02-00000000B002}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.369{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-780C-63C6-2B02-00000000B002}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.370{F172AD64-780C-63C6-2B02-00000000B002}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:24.165{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4934CF5A463CE87B911191B76CADDAD,SHA256=60BC5448740748BB1A98623892078D62866B0FE2C99CE0E13374FBEDE927FFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:25.848{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55B17B2BAECB787D1F779B70634553F,SHA256=7E806ADDF2CBD8B19A796A448FBF693570BF6F7895A1E9498742CCB2CDA77A65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.902{F172AD64-780D-63C6-2D02-00000000B002}63086192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.795{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.795{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.795{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.794{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.794{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.794{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000081947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:23.310{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49408-false10.0.1.12-8000- 10341000x800000000000000081946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.727{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.727{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.727{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.727{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.727{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.727{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.727{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.728{F172AD64-780D-63C6-2D02-00000000B002}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.254{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53193C1C6690A874B32DD18B4B14FB0,SHA256=A96227422348C8C6EFD083D1090A2AE7C93B0901E626A36D076E7FB1E898C97E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.223{F172AD64-780D-63C6-2C02-00000000B002}47125020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.051{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-780D-63C6-2C02-00000000B002}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.051{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.051{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.051{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.051{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.051{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-780D-63C6-2C02-00000000B002}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.051{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-780D-63C6-2C02-00000000B002}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:25.052{F172AD64-780D-63C6-2C02-00000000B002}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.835{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766C3757773CA7FC383DEFE79E540D68,SHA256=97D4E307E23DB385795E9805E50AD658786154A841EC0CDCFF26E5D74036831D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.802{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780E-63C6-2E02-00000000B002}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.802{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780E-63C6-2E02-00000000B002}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.801{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-780E-63C6-2E02-00000000B002}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000081963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.656{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-780E-63C6-2E02-00000000B002}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.656{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.656{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.656{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.656{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.656{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-780E-63C6-2E02-00000000B002}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.656{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-780E-63C6-2E02-00000000B002}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.658{F172AD64-780E-63C6-2E02-00000000B002}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:26.339{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBACBDFB7547A1AE12F7ACC6BB2A2BB0,SHA256=9B6E2DB8348A3FC291D8DBF2B4843984BE3D39767194D7C2ACAFA4C6012A59FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:27.454{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE89F13E1DA90A92DD559D490644FE0,SHA256=25AF2753212CECEE02F421B6DAAF0DB655C94A1139618B8D4D0AB28F81590E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:27.041{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3689458C96EC91E65598CAFBA8A19A6C,SHA256=4E9307DEBBCCB787FF4C1BCB5CD959654897A74A340406C60EA7962A7CB4DA8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.523{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D8705846209DEFDF9E829A4B6F74B5,SHA256=49971C7BBE69CD01F2B98C125A4ECC264A09C1BFC982259499D96FE494529FD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:26.099{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50279-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:28.136{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC002BEC8B307A884EB84BA2AA2873FB,SHA256=161E1EE01DA5E125910E25C08236A923FAA52227D7D9A8B88658F2158622106E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.225{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.221{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.217{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.215{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.213{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.207{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.203{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.202{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.200{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.195{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.185{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.177{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.165{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.156{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.144{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.107{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.094{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.088{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.078{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.070{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.015{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:28.013{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000067348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:29.238{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73C5EDF6DE26DC4D3A39750D0A3EE27,SHA256=F06DDE143F506F2E0D6620FAAFA860D23777AF91A28B43641F01E59858B22064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:29.634{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015372C9D61463DD3700CE9E618E7ED8,SHA256=A7C85CDEE8C917E60517B7E7D183F6809A2ADCF4E034890EE3C483A5BD1A3125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:30.323{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0174F2FEC877C1E1592A55EFAD0C4A34,SHA256=DA827E10B91FF2762C851AD45E54DD2957760FB38E0336F338408B7A808327F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:30.699{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:30.698{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000081997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:30.697{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DA52C28BCBD0C61A1CEA057E2FF06F,SHA256=BA02C5B084C2E3613F2A1AC0FABAF9AA4634F14456AE56266E6DCE91958129C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:30.281{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:30.272{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:30.266{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000081993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:30.253{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000067350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:31.431{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FF8A0E8EBD500E871FC40A623B4628,SHA256=FD6D8A87A4EC0D6741CAFAEAF24ACA46BD78241790DAD8C09106EC7953AD57F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:29.147{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49409-false10.0.1.12-8000- 23542300x800000000000000082017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.760{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEDA93CF781B920AE9935CA0AF0CAA5,SHA256=C19FE888016D275066056FE1384BD6E71F850BAE677FC1B15981C0A17624E4F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.331{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.317{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.307{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.305{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.276{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.269{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.255{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.244{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.243{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.240{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.234{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.229{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.227{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.224{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.219{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000082001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.217{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000082000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:31.013{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:32.742{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F642E69BF8F4664B8522C89EADD01719,SHA256=BBC1AC48AC663AD6218F5BE9B31C42D498F1B1166786158FBA8BACA85E84F923,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:30.126{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49410-false10.0.1.12-8089- 23542300x800000000000000082019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:32.847{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5372435873CA419309650827E68E8209,SHA256=C8401C866CB8346D16D85461792A5607E52477EE5179820CB85DED9FAD38A0D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.966{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.964{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 23542300x800000000000000082021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:33.941{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0629D5D435324C695B7090BC0E57BEE8,SHA256=FC1EBC4BE0F71117C4C20973F55FB59E5FB8A5135FCB747A58FF335CEE79394B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.447{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.436{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.409{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.398{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.395{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.369{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.360{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.342{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.327{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.317{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.314{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.312{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 354300x800000000000000067374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:31.140{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50280-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000067373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.302{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.261{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.258{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.244{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.230{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.174{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.167{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.147{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.133{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.124{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.111{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.104{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.095{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.087{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000067352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:33.084{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 23542300x800000000000000067394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:34.103{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD244C5247D3A84892B229EC853EAAB,SHA256=90BFB5965870182E750824F14F119E48DCF03CCBB0FAF3491FE43B7C6BD79BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:35.226{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8479D8B65908B5101BD53B2CD37BE57,SHA256=FA101AC9188C5D066E1BB65EB529803F3AF302CFA627FA12B94DCBEDFFBEBBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:35.030{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449A68E94887E1AF9834F893A151C3BD,SHA256=97800217192681BD7016794C85F527902CD635DDF3E260228FF4FEE716BCC5E8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000082022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:27:35.015{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92a5e-0x508255ae) 23542300x800000000000000067396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:36.320{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C007B059F0F1A6F12FC783AA16A7A5A,SHA256=45C4FA39A15C9327567198BED10CA0E71404B59B14083872CE4B6108EEBFD10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:36.123{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4654541A78F30C122EC7D3CDC6933DEC,SHA256=006448E38F95CB39B7BE952128DE9D278746D48EE4C1DC974B11D92B95C8C812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:37.520{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27CAAD188838AF143512DB37C969FFD,SHA256=08D83E482231F8AC0C3CD776A804800EF9D81A1B644C8EE24EB843B3188F2629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:37.224{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A638630B104CEFCDC97B1EE5CD3DDD62,SHA256=A50A869ECC9F27418DC154C9E9EA5101BE9F4BFCE8958E621C538CD6F5C24DEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:34.274{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49411-false10.0.1.12-8000- 354300x800000000000000067399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:37.053{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:38.831{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26847FA17A1E5A498C2D2E313D03F4E7,SHA256=B87C1185CB30C48D7284894A986E064F1F39C5A9331BED1A3FA5400F5FB2DBDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:38.306{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D91DCE56F25A10123CF7DEA26456927,SHA256=A597A227C63C7B47CDB3207EEA7AC17E12F0A3C038BA80D4E267465C32B4C2D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:38.150{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:39.929{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098EC94272D40AF18EABE7880725301B,SHA256=D46F0C84ED2168A3F645B7CFC8F24246918F7BEBA3B5F3DBCA44906829B5A3DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:39.407{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EB973DDE65549171E6DA872BFFEFE6,SHA256=6460F4D245988D3F4BA47769D34B553DA900405928E93DF717FD4D4938A3C736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:40.497{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E45CB986E756761B21F43BA2B65DD1B,SHA256=12DCE87AED31B4ED42E9136A70709678FF8CD7A4BEE76358E60910152947B52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:41.609{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31661BB77B884E96D0673EAC3232631D,SHA256=E4F0DC4E3468B8ABB535981359F893BDC289329A975FE32C0BDE767C55786DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:41.033{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A352338F5900435DA3E8F18936A258D7,SHA256=A27BADE629A063A25EE3ED7F2D04EAA7B34D3A9727BDFB51867376E36FEFC5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:42.706{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9222F85E1EA0212CAC16171A00EBADFE,SHA256=774E3A2D2BB7E712C0237C08D0D36F3E187525C49E3D87E2FC208F69B9E0E042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:42.120{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7638914833BF3E0F726995E69E2CF9B,SHA256=EF6D617860804298070CFEDA68F0B3F311DA20B0009F277562FCC6226DB13DAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:39.286{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49412-false10.0.1.12-8000- 23542300x800000000000000082034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:43.796{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7596FE43EE471B8FFF674EF2E972CF7B,SHA256=0D3BADDC7EEF61F31B07610B8AF23A339F255EA575D8514974A6C2B6AEA3CEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:43.766{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=344BAC726D719036171C39D925964646,SHA256=5DF857546B84EF4F695798724B6B0B89D6ED0DBE6F92C4F3CAF26AFCEA06DB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:43.216{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DF066951E56EB8949F4CB99AC59071,SHA256=667C942C6FA8897A7DE31DF3EEB7EB54C1821357B2237DBC89FC1E0107215C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:44.900{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F799A4D0C217FFA41BBCBF5A8DEDE0,SHA256=0562A849FC2DA17592B601A6529AC5CF9BAA0DC45092E3E102C76D2A60FD421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:44.310{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47866D68B7BC263FEEE6C970226CD553,SHA256=0228A9C6C5B8684EB9A27BC6C0878A0B4BCF49368881BA8FFE4FD9D818616D84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:42.070{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:45.399{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFF0386F44292514950008EDBB41D64,SHA256=4C03BAA0F35CB0BB876FCC973367E032A68643DD87A132E43472B9CD70ABBBED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:46.477{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFA444FF68FF020FCCA17ACA4C50172,SHA256=2648E044C102FA8A2C43B0D30418172E275C74FA988AB2153D5072B82CE687E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:46.004{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009F281E6E70DB9FC51717BB96D9132D,SHA256=141F4B9AD4230B771BDDD099C8A0968F5A632EEDC46890A10F3ED283F67BC342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:47.584{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83B54079D6269990F60D2F1EF72890B,SHA256=6612714A04920EC29502A9C53425DFC64431275E79D6EF732129BFBC1E350835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:47.467{F172AD64-6CE8-63C6-0D00-00000000B002}8922084C:\Windows\system32\svchost.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000082038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:45.288{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49413-false10.0.1.12-8000- 23542300x800000000000000082037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:47.105{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7FA6862D8B6351C0584762786A68A7,SHA256=4271C8538445131245F1D44466C6FB21B20F0BEBD942661A275462C7561D770D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:48.681{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07FED4FCAC4C0D2AF2871BFB4E746FF,SHA256=BACDC431E2ABFA7EFC2C83CFCB8F12D2AE9F9182AC5DB37CE13DF0CFA1C4B682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.266{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.257{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.252{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.250{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.247{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.241{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.234{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.233{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.230{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.223{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.212{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.207{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.199{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000082049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.194{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D88A0E9C6475F3D02DF3D42F742B06,SHA256=7D59AC789C16624385D02F54A60999B205AB8A0326C888CB57F777EE48D31A70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.187{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.176{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.131{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.120{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.113{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.103{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.093{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.024{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:48.022{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000067411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:49.984{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98654BE4763C852C90B1F466E3E881BE,SHA256=410A98C83B06540C145049B89833E174B89843DAACB6DA88ACBE341D2D00E541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:49.179{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109ECAAA543D329B72CFFC2814BC9203,SHA256=F1C8442993A037384C35737356B0B78035350495C40D89BFC8EEFAA46CE7BA16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.816{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.815{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.392{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.392{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.392{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.372{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.326{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.319{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.312{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.297{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000082064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.266{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9ED0AAF883272F376D6FACAAE941D1,SHA256=DEF4C3A810309B184BB774718CFE70C81FDB07136DE2209C4267260D77E0AF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:48.033{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50283-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:51.094{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6940797D73F692090BFEB26B5761BF8D,SHA256=11D223B2A39E8F57EB05D8A0F049762213263BB4E4AD0BFB5B442BC038AF209C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.888{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ECA82DCC4778D254E60DD95B97B4F9C9,SHA256=08DA797A488644D620F046A44ADF8BCC381774EBC40CF0237F6DE28D5D53035F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.428{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.407{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.398{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.396{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.373{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.367{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.355{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.351{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.349{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.347{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.345{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.342{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.340{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.339{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.337{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.336{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000082075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:51.319{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E71DD54B122E786E202149D295A4B5,SHA256=51DA22413BE8D3DC4ACC06D9C3FE365F4066843CC8980F1518B0E012968340F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:52.286{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B38BD1F74749716A0E43C929FB33715,SHA256=14F8A3E04ED1A8977A175198C00608CB187B234F4D60D99EC6C20085260F503C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:52.398{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1CFD968F6E9FF6F859987A63767050,SHA256=BD95C8E9C0D8FEC3D5A08CCA95670840A5205CC781C711247D50A5B9E33B7EC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.650{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.632{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.583{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.565{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.561{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.507{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.496{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.467{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 23542300x800000000000000067446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.464{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BD810432409B8A1E891326A49308B7,SHA256=650BF542995F74D8826E3371C3BCF29E4CCDB38A87586B66A9802FA8E571AFFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.457{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.453{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.446{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.441{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.437{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.433{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.431{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.429{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.425{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.423{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.419{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.416{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.411{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.403{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.399{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.391{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.377{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.373{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 23542300x800000000000000082096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:53.486{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35D050E71AB92822649F8C975D5173A,SHA256=C969626FCC2E4F9E8794B949D11ED2E5BBF860AB07F6348E5E56FC9EDB24DEDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:50.322{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49414-false10.0.1.12-8000- 10341000x800000000000000067427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.345{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.328{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.239{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.223{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.199{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.182{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.155{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.146{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.130{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.117{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.104{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.099{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.097{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000082094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:53.423{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=528551AF961650642D912B9C8E39CC9F,SHA256=2D2CE92455FC8F9902E30A09A644F82C76739B1CC6C9A9779BD3B38AF393FE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:54.606{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F093B53EB2D126AF0E09D9A4613DED48,SHA256=A8D4FFEBE2783F3F6989B6D0AF05815B353E6AB3A98FC60250313F5AFB87F001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:54.584{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBEB4FF7329053517B40056667FFD58,SHA256=B42FAA5BCCCD051F5255D16950502E3CF3CD8643EC6D32C8926BC3544C2F7446,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:54.156{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:54.154{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:55.997{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:55.636{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE8345497DF6C427CE684B93B3FF4FB,SHA256=58D54B1F223F45B3F3204DD0BCDB613BCDCAF549C26D59EA587CA15F52E6A01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:55.672{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA72A063F4BE790E5F735F669C3A7D6B,SHA256=E9394890B3C61D51418131DB93FFB62FF0616DC5C7F0F99035B13196B73A32E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:53.239{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50284-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:56.712{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597662E4188411C0795804132F80CD29,SHA256=CD77A6F7AD8B2E502BE08B3898CD611C71F74837FB4E658B8CFFB5DE8BA06E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:56.765{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507027D79D1C5B3AED3BD54F9E0D08F0,SHA256=E597D2EB614F0E80456B4F7CCB2C184B71735CBA95F737CC248545C34C3CB2B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:56.010{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:56.010{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:56.010{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6204072C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:57.806{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BA25D2440CDC65EC3A85A8D578B1D1,SHA256=3156672248949C9D4AF4D7B90517706269F66DE0DC7B0B9643BB9550ED86ECD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:57.859{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7C3A1EF68CB36F3A6E8832609B98EF,SHA256=9DF7AA056BBB43070B8D113BC55C125F76FD45F26746D807B803E03251407EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:58.904{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AC3B9E7CF3522B9D095232F433C59E,SHA256=1B9253276DD79582074E6CD87B5786F113DADBDCE87E65E85446C374C35B82D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:58.957{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430E8DF991DC067B56BCEC54CC588313,SHA256=CD7DFFDFA38460912EDACD7B156BFD09EE04FD6830009632D5CB2D0DEF330018,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:27:55.375{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49415-false10.0.1.12-8000- 23542300x800000000000000067468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:59.992{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24684891AC2ADADF4767B67C954E8D07,SHA256=11F7E14AE22DEF9B3EE1D640578E5C3E0EBADF7BA951822733A127EE2DEB2418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:59.563{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:00.324{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=01719A89B29678D127151D729EAF1DC5,SHA256=1A8877D0162B34DC98C879F1ECB3FDCFA03E08AA42A0A1919876DD32ED2BC0B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:59.040{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50285-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:00.043{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A13A5A6163420F36247573DC02D3C58,SHA256=6BB501C2CE4388ADAB0332F0938314B7D60C55ADC579E9960C028AD0402A9295,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:27:59.544{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50286-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000067471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:01.197{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6056B50CCEDCCF68B4A4AC638D76C1,SHA256=B3C07ED0266C48E52B01384C29FD2A478CACDB875D298B26DE75A90AA7A2B3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:01.122{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDA6580B3A8DCB05428147E283CD336,SHA256=02A1DC66B6E3A1B60B2F76E77316E203F01C505893578F75360777D3EF9D878F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:01.119{F172AD64-77C4-63C6-1F02-00000000B002}6124ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=AD80B2AFB85A2C45F12BF94E48169A9C,SHA256=C2773A210D80C272F27792B2BA323EE3DD7A68B7474F7C222B00DC7FE517CF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:02.401{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306E6420AA3C4716537423EA080D4CAF,SHA256=4FB4969CD53FCDBE07E82E36D9087F7389E8BAD31B66287B7F700DE36401D879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:02.219{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E84A65C0C096C6C1289856597F84025,SHA256=0F90427E9DE303AD4805C5B25881CC49832DA9885C5D793ACDEC3A64B1477333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:03.599{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93206B8934B62D4183935F40E950E718,SHA256=395A380E8DD4697CC4024ACA89096162E137CEEE31BF4D69297FF72FC5D52140,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:01.207{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49416-false10.0.1.12-8000- 23542300x800000000000000082107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:03.313{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A921702D4C8AA0315AC4ECBE32A232,SHA256=9ABE81AAE2221C22C75F8B29D0D3EF7A49EDCF84E8BBFD0DDCEA713E4813A0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:04.696{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEED9955E1273CE92110B9A067456B5,SHA256=DA8D352AB0BA6C1C598D21B14C365A9AF41AB15AE4EB0C116CF99C4BA1F52C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:04.420{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB51B57B6559CDF6DE6A317B9AB69E3,SHA256=939645B366CD2C54D2D23C7968B032F287C664577387A0496926FEF8250A14BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:05.779{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44319B81D12D0FEA0F3F9493CE46F775,SHA256=2BEAE8E1E030B56B98751DAC64AD20E0465D4CE354636FBA9AC944969E051A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:05.626{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0548C35765C9CAD3C9FAEE3D478F223B,SHA256=4C0A3D38F20E4EFF95389529D6014D5A2B63258C1367F2B04FBC99E168A2A02A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:04.048{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50287-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:06.984{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF1ABE1F3DFD19B45079DA47475C33D,SHA256=7C743B208044A0DFD3D6F31BB2AE6D516BED4B7521ED18AFDBCD5DB06C099E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:06.717{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3129034BFE42F8654CBEC4246F822F,SHA256=7E19641CA794F129238697D936D11D18A0C65E9A712FC84B8DDE1FBE571928D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:07.807{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DFCAE62962D3F2D2422A1FD45DDD7E,SHA256=E9732BD9A9ED0B1685092D00B3BCA2A815BC7D1D6297E8104D16FD50FBCB6EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.898{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8735A9E13117C94B49D39BFAF6248A56,SHA256=398D2A3B0ABBC9987E5EC611B7346EC34075A24263651C5E7AD7357167E9C85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:08.064{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F549B4F6AF828F6DC0FC61D78BE9288,SHA256=FCB0A9257546F6ED2FC7767539A1C144700CF94BB9F83ED9F0974E8B49194767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.199{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.195{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.191{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.188{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.181{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.176{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.171{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.170{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.168{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.162{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.152{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.146{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.140{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.133{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.124{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.089{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.073{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.065{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.056{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.047{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.009{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:08.007{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000067480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:09.166{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79A13C47E6BD2659C1E0241B23281D8,SHA256=499C6F635C03B1A1688715AE7D9AB0E21CCD93A4E7B3AB4562F4ABC5B8F666FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:06.267{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49417-false10.0.1.12-8000- 354300x800000000000000067482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:09.146{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50288-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:10.259{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0E7366AA46F70807F2CFBE8E520432,SHA256=0BD3E35F8E5EA961943AEA7D249ADFC8D6A6E4A0BA8FAEDD7A6989A15850311B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:10.722{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:10.721{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:10.246{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:10.242{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:10.233{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:10.220{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000082137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:10.001{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5531B7B7115DA9311A5E8F8A66139C,SHA256=86AD1CE7A5DFE23601125B0D8D413086DBCEEAC15C4DC9722703CCE7AB92B7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:11.372{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E386F05A5224C2C248CE566A84C0F4CA,SHA256=0472D402CEED35F7EA8FE85761BBE5FAD19F7A249278B025FF43BB5E90D4EA9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.345{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.326{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.315{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.311{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.281{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.275{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.263{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.259{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.257{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.253{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.250{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.245{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.241{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.239{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.236{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.234{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000082144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.054{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21376B8A84BDC2DF8CB0EEACDF0317E,SHA256=386E65E6B0558C9C3A547AFCAF39B5E42DD366E9FC8466694B50B5210BFEF9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.578{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=960373E94541E404EAA58FD23FA5BEFC,SHA256=D18A6E49D72CC1A0B1A21DACEC1CEEAB3E29620AC13411A761C1D1E65ADF9B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:12.152{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949F6073DBE3E6EC111185D4C129D360,SHA256=862C16B8D1ED92D84E6634E52A5B9F1B0433B96A4C040BA1E77254AD39DE04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.392{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-046MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-783C-63C6-2D02-00000000B102}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-783C-63C6-2D02-00000000B102}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-783C-63C6-2D02-00000000B102}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:12.356{F6EEFE7F-783C-63C6-2D02-00000000B102}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.955{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=94B39B687D994FDC30191ACFED21F362,SHA256=36C3631E1707D435223DAC9B7410A40F1C79FCA83B1E9289F9A58A5D6F58DE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.653{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15063291EA3EF4B644A341C2CBA3B91,SHA256=677B21A9A82E6A7D1ACE82A22D2859A71F21B50DDD80CB5CEBCB98232F0E9350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:13.241{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A91D184FB12D9AE0BE0D97FD16581D,SHA256=8FC27603670D80230FAFD608F9ECF657AB4C77FC618A256DA842292ACEAB5296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.510{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.497{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.465{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.452{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.449{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.412{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 23542300x800000000000000067534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.412{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4569438998EC270522FD89D7141B4A8,SHA256=6B76E81631A67FA87C45497250FF4B7FAB4EAA158F419445DD26C64D4B327A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.402{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 23542300x800000000000000067532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.389{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-047MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.371{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.362{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.359{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.350{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.347{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.344{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.336{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.329{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.327{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.325{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.321{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.311{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.247{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.185{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.177{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.162{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.153{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.145{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.109{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.098{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.088{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.088{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 23542300x800000000000000067499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:13.008{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F74A375F41549756EA06637A2BED1904,SHA256=8AB5E7D64E17E23AEF458780F2881ABF9224883DE2E419BE1CFAF2037C374FB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.989{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.990{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.849{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BFBDBB0A2A99241DB946633F34629D,SHA256=39916F2EA73092CFB9E7287B305B77C855B4EDD33727085EFAD3B9A6D2A2D3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:14.343{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38B00EBA9F787B55F9F88A6D4D44D11,SHA256=AD5D6748F95C762322F017508C1B15BA5D8D639D9E8F07E131353DE56F6C9757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.313{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-783E-63C6-2E02-00000000B102}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.313{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.313{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.313{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.313{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.311{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.311{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.311{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.311{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.311{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.311{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-783E-63C6-2E02-00000000B102}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.311{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-783E-63C6-2E02-00000000B102}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.312{F6EEFE7F-783E-63C6-2E02-00000000B102}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000067544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.019{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77ED-63C6-2502-00000000B102}3508C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.018{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-77EC-63C6-2402-00000000B102}5124C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 354300x800000000000000082163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:11.280{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49418-false10.0.1.12-8000- 23542300x800000000000000067579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:15.924{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDFE2DAF8197C1FA91199511AA60866,SHA256=B7446DF257862452F0746646087F0DB1BE5E2CA8F880D9DCFDB75876FFAE5141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:15.439{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E4A1C64547BDDCCF07BBC96340743F,SHA256=36D14E9D7115B4189F64D8B14CB8B2DA0BFD80AA7625FCC40241A81AFD53DFFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:15.192{F6EEFE7F-783E-63C6-2F02-00000000B102}60761292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:15.139{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:15.139{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:15.139{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:15.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:15.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:15.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-783E-63C6-2F02-00000000B102}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000082166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:16.541{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95BE61845118566E3B23B687776663B,SHA256=B993D5ACD85A7FC0F9249A0BBA507918586751C4C807C86A0B32A516ED096E5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.370{F6EEFE7F-7840-63C6-3002-00000000B102}4416392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7840-63C6-3002-00000000B102}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7840-63C6-3002-00000000B102}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.195{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7840-63C6-3002-00000000B102}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:16.196{F6EEFE7F-7840-63C6-3002-00000000B102}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000067580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:14.165{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50289-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:17.644{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916315436375C5E84A78E4B82CBF3B79,SHA256=280047F9675D52AC35FF5961639F08A9DB6CE3DEF34F2416F97662CFBD8E12C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7841-63C6-3202-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7841-63C6-3202-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.972{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7841-63C6-3202-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.973{F6EEFE7F-7841-63C6-3202-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000067609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.486{F6EEFE7F-7841-63C6-3102-00000000B102}61044132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.297{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7841-63C6-3102-00000000B102}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.295{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.295{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7841-63C6-3102-00000000B102}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.295{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7841-63C6-3102-00000000B102}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.295{F6EEFE7F-7841-63C6-3102-00000000B102}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:17.003{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0CEA817E0EE8494224BDE3824D10E7,SHA256=A24977E0F480FA42F4D117B2E3A25AE2F0FC8B9EA5D5A1B2463EE4EF05C2F625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:18.754{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090367C353830A207F67DE8ED61B2431,SHA256=8C15024672BCAF5073A78729A459548BEF15FEC6BF0ED6018A11F68FAD192439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:18.532{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EC34B6E7FF9C54897934370BF9F3664,SHA256=AD0D08BDF51FF200CB10E2538A0E57C73E8920901A321BC5E11165B6F3B7CFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:18.382{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220E76DCDD5CA3112B10C92E77314918,SHA256=8EB119CD33CAC5390BE38B134CD2701468908A294BC86DC30D08F39849C982EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:18.160{F6EEFE7F-7841-63C6-3202-00000000B102}60964648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:19.850{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA799104295AA7BAD3E5E19D716C3981,SHA256=1EF3BF28EA5F6AFCDE767403DEDE08DB9550B3C886C889FEBF84D2BCC58680AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.518{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7843-63C6-3302-00000000B102}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.518{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.518{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.518{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.518{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.516{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.516{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.516{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.516{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.516{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.516{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7843-63C6-3302-00000000B102}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.516{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7843-63C6-3302-00000000B102}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.517{F6EEFE7F-7843-63C6-3302-00000000B102}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:19.207{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909C65D7B8554DAB3FF312E86151FD2A,SHA256=5A1B8FCD295868DB831E09188442ED9D1687B7DDB362C201ACE1794EF0A75F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:19.324{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-046MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:16.347{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49419-false10.0.1.12-8000- 23542300x800000000000000082197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.986{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B0A2A781CEDBCD53DC77D0E2DDFBD13B,SHA256=BDA7305AF9BCA87700BB0823515E15A7D719CAF3F0467D3DF976FEDE7B014500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.942{F172AD64-7844-63C6-3002-00000000B002}61765176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.940{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FF3377767B3A77B564B98282A79A43,SHA256=D6351E1AD7953F1DBB352E4CCA50C5A02F9D5251D6BD05684CBF12A664F4A821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.921{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.921{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.921{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.921{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.921{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.921{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000067640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:20.301{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145ED2DF732B900557657ADC0F33E1FD,SHA256=D4A3A103D25E2A52DC2269E45D6263B667223DE4B75CDCC577B6F446E9726166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.770{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.770{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.770{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.770{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.770{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.770{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.770{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.771{F172AD64-7844-63C6-3002-00000000B002}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.328{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-047MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.093{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7844-63C6-2F02-00000000B002}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.093{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.093{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.093{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.093{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.093{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7844-63C6-2F02-00000000B002}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.093{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7844-63C6-2F02-00000000B002}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.094{F172AD64-7844-63C6-2F02-00000000B002}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.968{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.968{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.968{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.968{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.968{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.968{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000067641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:21.398{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271E8F10AE9B0D40AADC88DC3D0567EA,SHA256=167862970C82F681169147763A1194E4BD4304F7DC3E0DD6C821A0BBEED5424F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.905{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.905{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.905{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.905{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.905{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.905{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.905{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.906{F172AD64-7845-63C6-3102-00000000B002}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:21.183{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26A9985CD3EA540EE4D262DE2F4A3B02,SHA256=83C7ECE2028B83DFEEEAAA3B8A1E6B6D5DC22EC505638A20770780BB7D6624F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:22.500{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2087A0DE9E7B1FD8442FB3FF222326A4,SHA256=603A4E4ECB35BF00F2471C43632854F2C1990ED0F9CCDE20FFC511DF2D31AC30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:22.761{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:22.761{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:22.080{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=888E5AF3775C43DCFFC4D0B6C8780841,SHA256=77447881527EBE6F9023F5C594388B2DDE1D7E92A689715CFE30ABB4E6BB7378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:22.034{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7963874F34E0976757ECC47E4898E02,SHA256=B3242CCA4D73FD0A13168A6708CDB6A3F9ACFD58056E31105BFE444E2033E9F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:20.154{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50290-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:23.591{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEC6133D709D8F898743FAF8EB31AA9,SHA256=BE4F83B61441C3C118A5456AF199776374A2FCDF73E6F03679A411661DE3A857,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.721{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49420-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000082218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:20.721{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49420-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 23542300x800000000000000082217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:23.124{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A1BD6C434009826B7B81E65527BFBE,SHA256=E960A151D805577D94F67F7B55CA12910F32E75A4123BD71229939197BDBD975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:24.678{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96AEB3B84BF21727BEF766F57924E54,SHA256=C6AEC2475A73D40AA5F5E2ED5804E6DFC4B1AF2368182CD7569BF2836FECACDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.554{F172AD64-7848-63C6-3202-00000000B002}64046688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.364{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7848-63C6-3202-00000000B002}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.364{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.364{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.364{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.364{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.364{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7848-63C6-3202-00000000B002}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.364{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7848-63C6-3202-00000000B002}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.364{F172AD64-7848-63C6-3202-00000000B002}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:24.222{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D84D35E53EAE1FD01F959D3A4AAFD9B,SHA256=2F1A7088C423BE50D22F59D0A3587FA77B290AD92959D264777C3B10A5788CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:22.241{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49421-false10.0.1.12-8000- 23542300x800000000000000067646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:25.785{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1BC51004349F91BE35C9B16DC2CB5C,SHA256=EC8B1E70B02089BBD84954978181B9AB5413BDE2D64466FA6B2E1366C6F2F724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.917{F172AD64-7849-63C6-3402-00000000B002}70527080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.722{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7849-63C6-3402-00000000B002}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.722{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.722{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.722{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.722{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.722{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7849-63C6-3402-00000000B002}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.722{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7849-63C6-3402-00000000B002}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.722{F172AD64-7849-63C6-3402-00000000B002}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.309{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF0AADEFC9F43ECDEC146478CB9CD2A,SHA256=E1DC393454086CECA95D11C9EE9EAAA289B02F77E156BFC2905BC62FA6225E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.215{F172AD64-7849-63C6-3302-00000000B002}38205052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.044{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7849-63C6-3302-00000000B002}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.044{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7849-63C6-3302-00000000B002}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.044{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.044{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.041{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7849-63C6-3302-00000000B002}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.041{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.041{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:25.042{F172AD64-7849-63C6-3302-00000000B002}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.843{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91F372E2735B591BE5ED2A0CD66F7F17,SHA256=8166267299692B7D9B3DF58B1677BF7F28FECF3E4A637F68D554327793E991A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.609{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-784A-63C6-3702-00000000B002}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.609{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.609{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.609{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.609{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.609{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-784A-63C6-3702-00000000B002}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.609{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-784A-63C6-3702-00000000B002}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.610{F172AD64-784A-63C6-3702-00000000B002}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.452{F172AD64-7634-63C6-B901-00000000B002}49005448C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.452{F172AD64-7634-63C6-B901-00000000B002}49005448C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.452{F172AD64-7634-63C6-B901-00000000B002}49005448C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.452{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.452{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.421{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.405{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.405{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.405{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.405{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.405{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.405{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.405{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.405{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F218A68CE2489C5AD1A570E49A64464,SHA256=7C615CF92FD5993618B62E66552817FED9B5BA1AA5B961F89CC307601659CBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.388{F172AD64-6CE8-63C6-1000-00000000B002}3566744C:\Windows\system32\svchost.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.388{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.388{F172AD64-784A-63C6-3602-00000000B002}60006092C:\Windows\system32\conhost.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.374{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.358{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.358{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.358{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.358{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.358{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.358{F172AD64-7634-63C6-B901-00000000B002}49006296C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+22ac82|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+1700c0|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+16c526|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000082252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:26.363{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 354300x800000000000000067648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:26.080{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50291-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:27.096{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBDE975CBE7CFD6F105FD7F5DA1A0DD,SHA256=BCE4F88E87D5CA598DDA20B34471B417A515C4206C36741E035F48366DDE0B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.572{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DA00297E3648E97C705CDF7B670D9A,SHA256=D216591833A270201CFD10BF45819771B1C6570D3C5A0C7E15BD6CE7A8017221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.463{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.387{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.387{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.387{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.386{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.386{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.386{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.201{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.201{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.201{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.200{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.200{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.199{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.199{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.198{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.195{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.195{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.186{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.186{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.186{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.184{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.184{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:27.184{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000067649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:28.183{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958A9470AD499775FD27916C3D2547D6,SHA256=0EB589D327D999A1DF06F93C7E2FDBC837FF7511841E05D8592B03DAEC93FEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.484{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41155DA2D6372EFDC1AD139CE31B42D2,SHA256=928B7E1B689540674CDFC57850BC13591D3333E71D6B8235BEC0DE7007F70D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.198{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA1C40D234F0E8A6BC4A304DCD2876B,SHA256=09ECCB56CF6A9CE01A3A93AB3FA457AD6729841542D0C9699C19B8F5E807274C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.178{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.174{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.169{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.167{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.166{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.159{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.155{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.153{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.152{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.146{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.135{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.130{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.122{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.115{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.106{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.076{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.067{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.060{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.052{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.044{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.009{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.006{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000067650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:29.383{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E9D57B575DD1694E0DEE2527F65CF1,SHA256=2D0B7B6710B91B82454A0956EFCE4F7A5ED3A87F9A0A0F551CA83B61D64E8FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:29.587{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB47CAADE185A700F561BD158BA48E1C,SHA256=13FDC8D66B20F1228E1C471D3E4CC0C0E6EE00B5C6F03A343B1DF820A92201E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:30.584{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE7F8A0E2861171A3BE1FC45006E8D1,SHA256=D53010D5E4C14BE293D7FC3495C75E0C1953E1AD443D3EDA25E0518866EFCF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:30.645{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D7F8FF6F85C830B3ED1046DD175616,SHA256=FE8F14110E9DFA565EB1E11F9306062CB44987A8CDF0312BE798BDE1831E2ABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:30.616{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:30.615{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 354300x800000000000000082375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:28.257{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49422-false10.0.1.12-8000- 10341000x800000000000000082374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:30.224{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:30.221{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:30.213{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:30.200{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000067652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:31.778{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C33A930546C2FD800A1CACEFB58DA4E,SHA256=E5C9A077A09069B429A37C2BEED228517F063BBA766F32ADE6484CF20D17662A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.723{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA2C9E91E6B1DD7134C8F6D117765CE,SHA256=618CBCA58C72C068CB31DF2897E685DCA2E0DC78BE8BF4BA59185A4CBA152565,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.246{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.246{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.243{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.222{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.210{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.204{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.177{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.171{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.154{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.150{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.148{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.146{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.143{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.140{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.138{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.137{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.135{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x800000000000000082380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.134{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000082379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:31.036{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:32.882{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D22CD14DD9F7EB8C4D46000835FD3E,SHA256=C82C9D3DC2E737EC5540D0350253995993EF49E319FBA4A028DB06EFFFFF1AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:32.804{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E3F47527E33D1AD4DA76A390B0CC16,SHA256=FE96CE540B74C4D5D05D8EEABBA512915C0A668A9FCE29BAB5F8F3860221CACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:33.906{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7795A86D0FEEAF1288A514B27253CA,SHA256=9E72F55261511B303F7A7491A921A3E68F7F9F817EDB3DC2AA0009C020D15E1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:32.041{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50292-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000067692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.374{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.353{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.342{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.339{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.313{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.292{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.280{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.271{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.267{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.261{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.255{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.252{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.250{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.238{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.234{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.223{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.213{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.163{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.154{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.140{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.124{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.113{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.106{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.096{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.085{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000067654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:33.082{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 354300x800000000000000082400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:30.149{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49423-false10.0.1.12-8089- 23542300x800000000000000067694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:34.522{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C387C6A7BC4DD8E0EB1D7755B57A36C3,SHA256=E6C72DF8AB0E695ECED9D214AA7B1B1DB154765F9BEB01445BAC9F3DCD583149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.721{F172AD64-7634-63C6-B901-00000000B002}49006296C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000082408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.721{F172AD64-7634-63C6-B901-00000000B002}49006296C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000082407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.408{F172AD64-6CE8-63C6-1000-00000000B002}3566744C:\Windows\system32\svchost.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.408{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.393{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.393{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.377{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.377{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:35.613{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C496088790ED6F29773F7F092BBBB42,SHA256=CC55D6EF5A5CED0891F5519F50C8C61F400C9D9E7D722D5AD6ADE4B30F1FE321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.913{F172AD64-7634-63C6-B901-00000000B002}49005448C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.913{F172AD64-7634-63C6-B901-00000000B002}49005448C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.913{F172AD64-7634-63C6-B901-00000000B002}49005448C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.913{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.913{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.913{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.913{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.632{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.632{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.631{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.631{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.631{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.631{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000082413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.440{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AED38991A32829398F55EFB04ABC963B,SHA256=2083E3447D15E65C6F0E90A3A58922D336A8154BEE94BE4E17C048F0D95FE3AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.236{F172AD64-7634-63C6-B901-00000000B002}49006296C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000082411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.236{F172AD64-7634-63C6-B901-00000000B002}49006296C:\Windows\Explorer.EXE{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x800000000000000082410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:35.002{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D174FB1F932F76184D63FC81A31838A1,SHA256=FD75CBC1795BC2F94004C7A2B43FE84107D91C264C24424D74DD1AD79F012803,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000067704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000067703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002d3e27) 13241300x800000000000000067702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a56-0x129160ca) 13241300x800000000000000067701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5e-0x7455c8ca) 13241300x800000000000000067700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a66-0xd61a30ca) 13241300x800000000000000067699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000067698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002d3e27) 13241300x800000000000000067697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a56-0x129160ca) 13241300x800000000000000067696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5e-0x7455c8ca) 13241300x800000000000000067695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:35.312{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a66-0xd61a30ca) 23542300x800000000000000067707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:36.810{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C457A7811A3F9379776DB16ECB3629,SHA256=57C3347CF66376EBAB8924708789CCCE4A9FF22C4EF89F335D1769120ADAF3A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:36.302{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:36.400{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:36.400{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:36.400{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7852-63C6-3802-00000000B002}5112C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000082427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:36.085{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7D214E66FBD00A209BEA59C6507209,SHA256=0603262228786EE0C6F30F5AE83E926D197C68ED1A60ADADA8EC9A3642976F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:37.907{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB47E13AE31551F0B6D8F43D6E8BCD62,SHA256=69098198F903E4E58B1E30794ABACD54059810798AEC3D0E01159E2E31858483,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:34.146{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49424-false10.0.1.12-8000- 23542300x800000000000000082431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:37.157{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB2A2CDBE06F5ABD4BCBB496B842D49,SHA256=676BD41296E63FC3EEDFD0703D1E45BF03C8E6B3C713C023C6B80867347DAF3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.696{F172AD64-6CCA-63C6-0100-00000000B002}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2023-01-17 09:40:06.547 11241100x800000000000000082459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.692{F172AD64-6CCA-63C6-0100-00000000B002}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2023-01-17 09:40:06.547 13241300x800000000000000082458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:28:38.691{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=AD0814F73589D6D66D972C7ED4D8B549974BBB505157226018F547E738639AB9 13241300x800000000000000082457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:28:38.691{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x800000000000000082456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:28:38.690{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 16341600x800000000000000082455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local2023-01-17 10:28:38.691C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=AD0814F73589D6D66D972C7ED4D8B549974BBB505157226018F547E738639AB9 13241300x800000000000000082454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:28:38.689{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000082453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:28:38.689{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000082452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:28:38.689{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000082451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:28:38.689{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000082450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-DeleteValue2023-01-17 10:28:38.689{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000082449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-DeleteValue2023-01-17 10:28:38.688{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000082448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-DeleteValue2023-01-17 10:28:38.688{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000082447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-DeleteValue2023-01-17 10:28:38.688{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000082446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-DeleteValue2023-01-17 10:28:38.688{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000082445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.687{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.681{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.681{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.681{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.628{F172AD64-784A-63C6-3602-00000000B002}60006092C:\Windows\system32\conhost.exe{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.628{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.628{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.628{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.628{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.628{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.628{F172AD64-784A-63C6-3502-00000000B002}70845024C:\Windows\system32\cmd.exe{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.600{F172AD64-7856-63C6-3902-00000000B002}3700C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000082433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:38.251{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E6A109DA3D78374DCFE3F47CFB1C7F,SHA256=42E9D6757A6CF5577A50ECA60CCDCB41CE6C479CCED29304746A0A8089932C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:38.885{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9AF804AA88C823FA40C90FF4D5DD0E2B,SHA256=8478BEF924AA2095DF38FEBC29ADF0D67DD1A7AA61EF010A7A0A1E1C1F6B6785,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:39.785{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000082463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:39.785{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=ED1A83D46D9D35112E9E152892FE5F21,SHA256=F9C078F18D8E3A6E65AEC9D408401A9361A0247AC055B04E7B95DFEFC51D249E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:39.343{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:39.343{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB1DF12A7F573040FF7D6732D21BC4F,SHA256=26E9C31B8C74CE222B1F0B18DCDCFEFB0A54E4BC1CFE24762EF268271DC337A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:37.178{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50293-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:39.104{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE100405AC2212A50B66BFBADC4083FF,SHA256=E40AC92C2802E9BFC2592577364B407F835CFE89186C924F5C5381C45672CA0A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:40.440{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:40.440{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E896649732230FB59B18A22F739E0A88,SHA256=EFF1AB7462FD1FC837FDB0C1904FBC2CE9964CFA608AF12EAC5968E6E3E58028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:40.197{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492E0E85CC1A20D44EE46558BF4E743C,SHA256=58618C429FC0A9C0FFFB174C76B970DE474E6A5F67B6F99E981817C8C6236927,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:41.531{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:41.531{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D97444F61FB293C979583BEB8D2010,SHA256=D24F30C675A9CBA72AC5E012E308E7D4F75EAAC88B72B60889379CB319C6C958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:41.303{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2394F9C65EED21F1AB2F654C357EC69,SHA256=B3A112471CA966293974E90E0E0856C16D3A2346E0522B1844619CE6CDE1C1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:42.383{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E362CCE5F91EC843C52997C1FE8B749B,SHA256=78AF6B1451DA0CFE9607BA7E6A5C7723A81D3E97B8A86EF073D6D3462E76C968,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:42.628{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:42.628{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4117BBF4E9A45D6EAB537A41CB374355,SHA256=65D79A04DE6B28A310F5523F3A135B6C873FD191317CD75F7D38E32A8189D8CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:39.367{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49425-false10.0.1.12-8000- 23542300x800000000000000067715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:43.594{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6304030629F232B6FADC86732C1CE885,SHA256=88FB3EED3015F4C5008223B3B3FC992652BFB87AB3B76E6F146444C99F381284,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:43.732{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:43.732{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE9A210BBF002805216A9F531A2CC38,SHA256=04CB6A132BBF87FBE6CD25AC0EDEB91A43F061791381BF1DEA6DE270FB945E8B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:43.212{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 11241100x800000000000000082476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:44.819{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:44.819{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68C9C44F536C3AD8ECCA72B40B6AA4F,SHA256=3013BA4CD3153AEEAF1F2513F656B42F6D9EBBBE01C8B5E7919385783A46924F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:44.695{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58967ACDD49FBFC4FA4F2C497900204C,SHA256=B55780F432809D8C7C1E8452EA15524EAD8CD0749C29D6524C11ED07D817A9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:44.172{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A3F513A09D15598D6E62D68CDF14D597,SHA256=2CD36BD986B5F13193B01FABDDBEA94774458884B9BAB07C6DC00B6B2CE7C0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:45.801{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAA26DC4F96D7222BA65E3F39C342F3,SHA256=66AD643D8F7CD227D78E4FE476445F0C26613B0F1914A3BD38E2C4D0744C473B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:45.997{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:45.997{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D35D14F4269C8E991AFE33AF953D414,SHA256=89E52EA139EA2F0D58B70A6542B6258C228F3CBC61F80856CC9D54A34D04DCB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:43.099{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50294-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:46.895{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6F479084E331F895467B8296B4E04B,SHA256=F3E181FA6BBDDE125D71714DB484A69D0CBD90D305F876C31EDDDD211EBEE51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:47.989{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12239475577DDEC0DA8AD8EAA30256A,SHA256=CE7446F5930E8CFB2E1792D57D3496AF9797DACEA635B9C926C2F00743BB9DD8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000067726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:47.722{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000067725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:47.722{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000067724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:47.722{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000067723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:47.722{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d92a5e-0x7bd88653) 13241300x800000000000000067722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:47.722{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000067721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:28:47.722{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 354300x800000000000000082481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:45.280{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49426-false10.0.1.12-8000- 11241100x800000000000000082480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:47.093{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:47.093{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C06E40884DD4E5526F3082C89B9B0C9,SHA256=0FEFFB64FC2FCC0700D2EE07F898EB0001C747F73BF84C2EC8C26686BA22C7D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.210{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.206{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.202{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.200{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.198{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.192{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000082500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.189{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:28:48.189 10341000x800000000000000082499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.189{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.187{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.185{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.179{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000082495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.177{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.176{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA7B9A2EAD6502DE68DD4A0A3DA4BDF,SHA256=61FF69E196CB009C817E5519731E8928C7D235CC51E30C90D913F4599CC75192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.168{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.164{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.158{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.150{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.142{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.113{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.099{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.093{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.083{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.074{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.040{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:48.029{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000082508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:49.164{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:49.164{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B4076793B59C7039F2361B61E572DD,SHA256=502F86CFB4AC27F5E07AB9232F285533AF84894D6E76DA66E89F0BD5199008C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:49.087{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F3BB779B5D03BC0E7850824FA5C27A,SHA256=808838E5840C5D9DD19CA6DAA7FCEE4A816C4EDAE5615706C75F4A08789A9301,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.716{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.715{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000082521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.456{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.456{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50509E756C881C280F2D70583C97BCDA,SHA256=2A202FEFBE09D9E257F95D24BCBD7200C072120093359773FF22043F0A7B766A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.382{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000082518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.380{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000082517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.378{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000082516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.377{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000082515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.376{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000082514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.375{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000082513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.373{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000067730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:48.218{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50295-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:50.175{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0CCAEE5B6DEE02351ADECD5C387A77,SHA256=BD2E1AD1B0B50DE2D878420C9711A371779B9828D8F7CD57C03A6ABFBBEA10F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.267{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.263{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.257{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.245{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 734700x800000000000000082549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.432{F172AD64-7634-63C6-AD01-00000000B002}4232C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x800000000000000082548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.432{F172AD64-7634-63C6-AD01-00000000B002}4232C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 10341000x800000000000000082547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.432{F172AD64-7634-63C6-AD01-00000000B002}42325648C:\Windows\System32\RuntimeBroker.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000082546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.432{F172AD64-7634-63C6-AD01-00000000B002}42325648C:\Windows\System32\RuntimeBroker.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 734700x800000000000000082545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.417{F172AD64-7634-63C6-AD01-00000000B002}4232C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x800000000000000082544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.417{F172AD64-7634-63C6-AD01-00000000B002}4232C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WinTypes.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=66D8DF1956272C96C3C9A27D9CF1E700,SHA256=615CFE128949B501E3828CF8409ED9ED25E9D8CC46FB7689F7A292736EFE0EBA,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x800000000000000082543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.417{F172AD64-7634-63C6-AD01-00000000B002}4232C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\TokenBroker.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=F154CB02B36FCC01FD0750EBC6CB9593,SHA256=4353093B7A439E2C10FDFADCE5447D1738BE997403AB39DD6CB35FAE61E86E2D,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 23542300x800000000000000067731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:51.276{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3321D16D1A4770E63946A707D726DC7,SHA256=F083C4EF717BE4D19036E9C6A494B0B806BE947EDE242D0D73C40389D93B7961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.321{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.321{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.320{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.304{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.295{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.293{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000082536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.270{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3747F818602F27DA653EB4AC56E6B3B3,SHA256=D7E8AF921D1214E5577082E2F7B4B779AB5EB999D6F8F28A12421BCBD2FCC3CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.266{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.260{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.249{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.245{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.244{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.241{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.239{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.237{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.235{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.234{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.232{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.231{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 354300x800000000000000082558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:50.227{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse114.33.53.209114-33-53-209.hinet-ip.hinet.net56386-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local3389ms-wbt-server 11241100x800000000000000082557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:52.509{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:52.509{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112B0AE0F2C075084CDA6620F61CC5C8,SHA256=9361BCD513420987EAC70DD86FA9E04EA59BA5707CB357F7577B0B8CE303BDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:52.366{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F7215110EE011E3B8008D7605105DA,SHA256=3FDC7B1609620611066FC355312F69FC690CBF4694BA18F548BE7247E5CAE513,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:52.384{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000082554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:52.384{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=113FEABF2E03A7190591485B7C7736D3,SHA256=05C2D626D435BA2E66369BA8D60A9156C4F2AF8EC7B84E823A623710F7D51AAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:52.289{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:52.289{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000082551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:52.034{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:52.034{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE4FE5836D43847908A20B84D86DB29,SHA256=4DD8096587014ADEBB08431D32C23B5E6AA54AF303EAF22F2DF9277C4A46FE5D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:53.622{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:53.622{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE987EB0AD3FFBF256C8C3949A1E38A,SHA256=18A41BFDDD43341B5A0530EA5D4512211CF672EFF50AE4FEB1C8158416F38EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.598{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403842CD3A3764427B8CEF995B39BD9A,SHA256=9B19772DD3CACE9EE2256BABD6887482A1E43461861E687968E715531A71BFB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.418{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.403{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 11241100x800000000000000082560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:53.434{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-17 09:40:52.407 23542300x800000000000000082559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:53.434{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E034125A74E82353411BFFEE258B6C92,SHA256=EE6B5A7D115C036792317B95F7BA37B8D2101A1395842C1C8621C794E594EFCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.362{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.360{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.332{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.323{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.303{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.283{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.271{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.263{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.254{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.251{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.247{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.244{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.239{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.232{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.230{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.219{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.208{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.168{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.162{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.155{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.147{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.131{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.123{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.117{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.109{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:53.100{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 11241100x800000000000000082567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:54.990{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Temp\Downloads_lockbit_opendir.7z2023-01-17 10:28:54.990 734700x800000000000000082566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:54.833{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=4849E9F93A0F34EC87F82E26049B47FD,SHA256=ADA89724741D0053E8322199764BDF5B39F7B94C0D973248D5FC7AF2F59C8590,IMPHASH=FA770D60A54EF20694B1F385EAA957B5trueMicrosoft WindowsValid 11241100x800000000000000082565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:54.708{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:54.708{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC5C03567F138DDC86F724FBD0C99E9,SHA256=B37AAC9C3C08C0815BC6199E6A7B5ED82D257BDD46E4D3509D5995413712EE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:54.434{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BA8F9FFBA24995DAA265B84B064702,SHA256=2F454CA366E7F2A9249552A8B6D1E14848BC5E655D2C84F00B98DF2592027468,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.224{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49427-false10.0.1.12-8000- 11241100x800000000000000082581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.781{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.781{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768005807742C3721FB7FCE3B3C118A0,SHA256=55058058DB402E4AAD1B4194F7DF9F9A06DA9969E215D09AE68B1A22F78FF73A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:55.998{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000067775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:54.239{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50296-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:55.526{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB39ED8D9E14D8C93FF87A1F29A7985E,SHA256=C3D2EE81B8C5C8D8CF941F47B884BFF1C2E5BA14182CEF42C12E5A7F62959A51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.454{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.454{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.454{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.454{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.454{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.447{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000082569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:55.447{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000082568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:51.949{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63884- 11241100x800000000000000082584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:56.871{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:56.871{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC79C63FF4D731024EAF3391B94CC965,SHA256=CEB23BECF144DF8BF13AA43222A3DE9E885D1B1A921CF88C4CFAFAB5188329E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:56.611{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC109B065077FD8F85BEC1DF603C09A,SHA256=D15F0BAB51ACDA5BC58387DBF6DB304F8B02918F4460394893BACE24F5AF86C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:56.062{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:56.013{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:56.013{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:56.012{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6204072C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000082586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:57.960{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:57.960{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC983AE18062FBFAE8E33D0B648B6E5,SHA256=BF4FC92CFE7808BD21D698F270CCBB91221339C43F4B607017B3B48A4809F34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:57.713{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778839E3119CA8103FB95529E5486450,SHA256=2FDA84EDBA5ABBB1546AA3601CE13C1D5CE15B662D43366D26F9F5DCEEAD56F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:58.810{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9844719B135D9B004D1D5AD1F65815,SHA256=B1D197E6DCBBCF1BEDEC9495242117622E12FE0D8354444D6EC2639B5B018505,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:56.280{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49428-false10.0.1.12-8000- 23542300x800000000000000067784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:59.912{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A5CBE863D815118E2645EB2EFCDC1C,SHA256=421D9AA57A83FA699C8EB4B07F5E8E3C911E14E7C6806BEDABD5617AF7BB17FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:59.045{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:28:59.045{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E06D020F85168ED2A3410AF5D1D0C16,SHA256=5016A3AFD0D8720A15D6A0D75C7BA74FE444A3C2E34BEA167950629FC58D83DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:59.584{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:00.145{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:00.145{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EE7C661427FB388F8CE303C82605B6,SHA256=D5BF5911C5609DC1D1D0432BEB679AC1D1A49C030BC4278E92EA006920BF4B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:00.337{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8E5D524B8F92779F9A08E80668BD74C5,SHA256=6B1D7A827BACD70CE75E160C384CA32F53328B95203323AF26510251AF45F1B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:01.242{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:01.242{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5517BEAD9810B7D597E19E081D83AC8,SHA256=788A19D62FD4855517E93ABC50ADB558BBC36DF520D0589CE0B9140173705F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:00.016{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50298-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000067787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:28:59.563{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50297-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000067786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:01.019{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A5D77D89FA8D07BC9BB7C7444A01E0,SHA256=3743D7012AFBE1C2BC55A2CDA6D390360BDEE0337A687DFB8BC3D683EC8D9912,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:02.445{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:02.445{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44FC70F82E49C2654D74A1A79F178B3,SHA256=A3D984CCB54F0C3C69422E1624D37C992F1D9E1DE9F787DB2DEB3C3F41160CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:02.112{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A07578FCA65366B202B6C8F8597DB2,SHA256=078334A07ADB91A0AC1D14A716292A30A632FADF78767C29DD49C08601AF74E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:02.333{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 13:16:44.659 23542300x800000000000000082594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:02.333{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0E2A50EF294C17B6D1C19A214FCF5707,SHA256=589103B184CD48A1F4870F0025B489A70CE573858079117F35C05016F4269121,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:03.535{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:03.535{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DDDA9A90F3899142C1B6BFC0A60639,SHA256=317251F03E2E9A94304E236F54DB68F1C8C5BE9F9AB03F5B60A861DA8759668C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:03.209{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F661716E7F6C4B40DC16B551FFC4A905,SHA256=3FBC4992BFA08D13C1F999F5E4AF18FAFC08F553765987A0F4BD468E79D1F585,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:04.633{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:04.633{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D03B1C6DDBE7B7FB98E03FD6B7B006,SHA256=942BF9C9918E8A0D56C49C4E933D464586A881CED73C0587BDACC9AB82864A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:04.410{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F920B8C3919F52F26BBDE6A1F5E438,SHA256=3C202BA5EB5DA58195A8AD232DF694645BB1772EFD58496360E44757218247AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:01.305{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49429-false10.0.1.12-8000- 11241100x800000000000000082604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:05.712{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:05.712{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EFC4ACB55E648462308A5956EEB04B,SHA256=B75A25D844252D670F1BB4CB6DBF7730004B73C53AD01FCB25FAEB241D7052D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:05.506{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA5D3F29C384E6D7C832B111A0415B3,SHA256=971F334A71B2F809702C3BFC3371D6FEACA4F9D4F14DF4EE0C85FE43099AEA96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:06.814{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:06.814{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5571608F0A33B2E747552C9143AD49,SHA256=03A7FC55DED98C8151DD4E5940ED8BDDDA20C1733FD8F7E92BE02F1495988CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:06.596{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AAD4731B9F5990DE9464B09A624132,SHA256=8FA8F2F0A8316D7F0C20A8ADACE3E875A723220969396AF8B974914E06D30594,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:05.216{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50299-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:07.698{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FBFE1E17205E84F3063092589EF129,SHA256=DED26B285DBDA0A0D621E47E2B31B3C61654D39D34F8E4AFE0611EBFDA0566E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:07.913{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:07.913{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F520E8A257A8F91181F0AAC10272B3F,SHA256=3CCC05A996D116ABF80C36195D60E486F644940CC3F056AAE8A3F5492F82DA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:08.785{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3654297418318361F4060142DC28A03,SHA256=E0633AF74123F66E85C8F7C0569F38575004F9FF73C468B388BFF6B1BBCFF0EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.171{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.167{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.162{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.160{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.159{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.152{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.148{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.147{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.145{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.139{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.130{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.124{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.118{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.110{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.102{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.072{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.062{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.055{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.047{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.040{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.005{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.003{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000067797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:09.886{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BCAF2BA2B3A0EFE6A5CFCD25F8B83D,SHA256=12A8B898D640BFF4DABFDBD9D394B99D6F16AA505389E166B5548E41D2CCD3AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.991{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:08.991{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1006B56A39D73089E7591D08D033CB9D,SHA256=C439166E493302D23B70BE72CFAFCA152BE470DFB0390C4E698929E24180414B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:10.987{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E858BF6E2AEDE2ECB93E4D966C4D9E38,SHA256=DB3315D7FF07D4E2632C7EEE972A2DFFF1E0F839EBEAC336286C3FEDF49F69E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:10.619{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:10.617{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 354300x800000000000000082639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:07.326{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49430-false10.0.1.12-8000- 10341000x800000000000000082638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:10.216{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:10.212{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:10.206{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:10.196{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000082634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:10.087{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:10.087{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFD2FD43B15886C02D7360B8DCB16DA,SHA256=B422FB8A2A6A8560836138EA1228E2DDC3AE3295F886468CD8319126D1C716E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.226{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.225{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.224{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.209{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.198{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.195{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.167{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.161{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.148{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.143{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.141{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.139{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.137{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000082648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.134{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.134{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6EA3CCCEFC1AAAFB70FB1B3010A7B3,SHA256=24555888158CD2C689B8CF10947FA1A1F3E1D5FB7705281BF23A7CB16D561EBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.134{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.131{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.131{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.128{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000082642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:11.127{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000082663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:12.231{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:12.231{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE9CB7EE52BC56A52D85DC06268A38,SHA256=E40EB695E10E34390C91F0E408530F3CADFF171DA97BCEA3E2BE2E28C81F5149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7878-63C6-3402-00000000B102}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7878-63C6-3402-00000000B102}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.364{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7878-63C6-3402-00000000B102}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.366{F6EEFE7F-7878-63C6-3402-00000000B102}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000067800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:10.254{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50300-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:12.074{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BBC29F49AD9AD8B261702108FD27C9,SHA256=485DF3639688F613F597EDE6CBE32838C81597B9E48EB1A2068D753FB42C5F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.910{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-047MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.454{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.445{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.422{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.409{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.401{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000067850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.370{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD2A8945AC3D3EC046DF36CC15B01932,SHA256=24FB1D6A848CAA072F6CFAF9CC06FD10281EC123C759FD3AB6BA55BACB57F3FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.368{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.354{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.324{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.312{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.283{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.275{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000067833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.271{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7336D5BE50009BBE0FB96C8527D68962,SHA256=638B76C9FF72D8F61AD421B6AADA65A08EB6F7588271212B7A581AD78A205BAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.263{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.248{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.226{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.223{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.200{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.191{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000067825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.178{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA7F7E7E958F3470889C2B3260373C3,SHA256=EF5102FAE6FAE4927167D9AA4E88AF7BC5DFEE32AB907D1B79B4083DE8FB1B3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.154{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.149{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.143{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.128{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.124{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.118{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.111{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.096{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000067814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:13.093{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 11241100x800000000000000082665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:13.319{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:13.319{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C02B4B6118A109715491E424A21D37B,SHA256=7590CEB430909DCC4C9F586456E851685B9CC041113C0A33596EE46FB07174FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-787A-63C6-3602-00000000B102}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-787A-63C6-3602-00000000B102}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.977{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-787A-63C6-3602-00000000B102}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.978{F6EEFE7F-787A-63C6-3602-00000000B102}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.917{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.450{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.450{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.450{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.450{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.450{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000067872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.450{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000067871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.441{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251935095F9BDD60D89CC54019382B06,SHA256=700861EBC081385FA4D4261551C10DA594D9277C07D78CBCD04F8928389FF1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.338{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C154BD59E0093823D7564762997D29F8,SHA256=C864DE59A160081872D5601DED9EE8EDA930771CCF22064126483AF0449613CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.305{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:14.304{F6EEFE7F-787A-63C6-3502-00000000B102}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000082667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:14.417{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:14.417{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92DD489BFEA4BB443F9E6D45B038C00,SHA256=62B4D5C581A4F2BBDA057EBF2B998A288888C555136E0638DD4BEAFEA10FB567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:15.513{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30BF11D0BEDB3CD2240EBBC06633E1D,SHA256=9BFAEE6867B2B8AA491C0050AC4B239E498C81701BD3BA8FFA5523D507D47A20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:15.500{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:15.500{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FB70EF351968D337FE2BB01D5AEB54,SHA256=DDF0F03AB1807498FBF96D0BCB222E49813222B0615B4AB059557771DCC613AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:15.196{F6EEFE7F-787A-63C6-3602-00000000B102}35202660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000067908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.549{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26C63BF81CB50DC592F9A4751EEF2CD,SHA256=782ECE0F165A5EF7B38CFB53F293574E4EB910FCBC5C05ABB03B8EE9000FDBB2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:16.585{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:16.585{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2DA754DA2F1DA023AF08B87C87DB52,SHA256=FF964AFFDEB359F02F05D06871D13EA1AED1F7D653B7B5510CCB895450992CA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.378{F6EEFE7F-787C-63C6-3702-00000000B102}5722896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-787C-63C6-3702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-787C-63C6-3702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.210{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-787C-63C6-3702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.211{F6EEFE7F-787C-63C6-3702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:13.199{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49431-false10.0.1.12-8000- 10341000x800000000000000067936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-787D-63C6-3902-00000000B102}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-787D-63C6-3902-00000000B102}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.889{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-787D-63C6-3902-00000000B102}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.890{F6EEFE7F-787D-63C6-3902-00000000B102}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.623{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFC8A1F99665C4F027A1EB77CB7DFCD,SHA256=ADCBDCED539D688EDD7A91EE37B8552A3E9E240CCEC05905F4E64C45C5E66AB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:17.671{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:17.671{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA5B375ACB151D40D830B413DC05F36,SHA256=882B73FCDCE69A2E7237FD8ED1C85DD122FC6954E5880809AEB7E66B05880FD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.450{F6EEFE7F-787D-63C6-3802-00000000B102}49165372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-787D-63C6-3802-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-787D-63C6-3802-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-787D-63C6-3802-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:17.296{F6EEFE7F-787D-63C6-3802-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:18.719{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A712D7F0A985E92F03FD51AF205E0196,SHA256=272DE3CEE8D6E5B0DEB60D8BF7A4EE3C928793E855A6E17A5F00D1B1EA3B442A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:18.773{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:18.773{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C1661129CD7FE2E22CF5BC24C5356C,SHA256=1357257870CA4F3D96B1EE95524F7F7C96EFD483A7C934DF26181D6DC7635067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:18.392{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E0CC546BEFC9C88914F1C7F67959F2B,SHA256=45B7BBC125D6AD03C9F60AF8F805F347126DC1830F3FBC468B827620341C2B25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:16.142{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50301-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000067937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:18.045{F6EEFE7F-787D-63C6-3902-00000000B102}59485860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000082675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:18.187{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:29:18.187 23542300x800000000000000067954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.823{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A1DB19CBEE2D6B3B499F9CFE854ECA,SHA256=E66A96ED2C639F68BC0F06DAC37BA6E221E7DA6ABD114A9E62C50D86C2DED37A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:19.847{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:19.847{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1707904F0F14CD335A7B96FC6D7DA56D,SHA256=B0432A91F1802FEF91AA90C9A8ABC24AE7B0475109C1856DA2BD4F79A1ED0076,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-787F-63C6-3A02-00000000B102}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-787F-63C6-3A02-00000000B102}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.544{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-787F-63C6-3A02-00000000B102}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000067941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:19.545{F6EEFE7F-787F-63C6-3A02-00000000B102}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.860{F172AD64-7880-63C6-3B02-00000000B002}4268844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.860{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.859{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000082783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.857{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-047MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.852{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0472023-01-17 10:29:20.852 11241100x800000000000000082781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.851{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0482023-01-17 10:29:20.851 734700x800000000000000082780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 11241100x800000000000000082771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000082770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.708{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2EE4B42FDFE7E2C7F4F5D05D951D058D,SHA256=306A8E10150F310DF2A9EB4C28930BB0F06AB0D158605BE53A71F707B20B107F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.706{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.706{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.706{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.706{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.706{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.705{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.705{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.705{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.705{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.705{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.705{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.705{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.705{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.704{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.704{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000082754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.704{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.703{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.703{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.703{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.703{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.702{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.702{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.702{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.702{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.702{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.702{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.697{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000082742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.697{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.696{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.696{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000082739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.695{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.695{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000082737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.695{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.694{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.694{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.694{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.694{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.694{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.694{F172AD64-7880-63C6-3B02-00000000B002}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000082730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.238{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000082729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.238{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.238{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000082727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.050{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.050{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.035{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.035{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.035{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.035{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.035{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.035{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000082710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000082691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000082690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000082687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000082685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.019{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.020{F172AD64-7880-63C6-3A02-00000000B002}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000082848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.933{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000082839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000082824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000082817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000082813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000082812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 11241100x800000000000000082811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000082810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 23542300x800000000000000082809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362E524CD6D2BABF42AF72CB14105597,SHA256=E4C0CFDDBF89340BD9881CA98285002E5E029F0D37876D13C115D9CE80346FB2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000082806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000082803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000082801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.918{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.919{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:21.025{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E30D55981109F4A2553FFFE398717D,SHA256=B48D936E2681D741BD8E5D48C115EA9CE646D56839974655249EC3F64624FF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.857{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.238{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9187B9C953D46372F9ECBD039D646E9C,SHA256=9A45E8986CCFC16276A1CEFE64CCE3C5FB5171644764AC6E50DCC037923424FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.156{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.156{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539741260E21A212EB8F50F3D3F38117,SHA256=82F8BC21CA388D485307D94CCDE8928A1AF6E130C4B71D7FD75DDD963BD5DDAA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.140{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.140{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9327A6BE98216EFC8DE312064C8F4DCB,SHA256=70583EF28A2A896EE04ED995E3D01B7578D53D5E955DF15AA3918DD073A48804,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.140{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000082787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:21.139{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1162CEC3FA1EBAC965BEBDD978CE9875,SHA256=37E615225C87478513BD46161513E1624C48D90EE5F20E103AFB5219E5362C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:19.211{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49432-false10.0.1.12-8000- 734700x800000000000000082851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:22.111{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000082850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:22.095{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 23542300x800000000000000067956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:22.131{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2FCFFF9BF7A67B03AB74BB279781D7,SHA256=D1919A182AE78635968DF0785D8215A0A9D01428E1B6F0DF011E3AEFD221BF8C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:22.095{F172AD64-7881-63C6-3C02-00000000B002}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000082856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.728{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49433-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000082855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:20.728{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49433-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 11241100x800000000000000082854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:23.080{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:23.080{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0B2BE12C003E1723DA94227162844C,SHA256=502417481A3278F2E338B6308ED2EF4046EEF199A6A6CD803CF8399B77C18DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:23.207{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24234D69D932DC781CD6C3190BF776D0,SHA256=421DD067CA32E0E9BD78F3E76007AEDF8A2032F7707101F87518DB410EC79EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:24.269{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF044BD98C3869BB613BFCDA03B6FE8,SHA256=03EC14DA334E9111EFBD9E15D6132DBF7BEC3BC85D87455CDD712732E48BCD83,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.555{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000082908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.555{F172AD64-7884-63C6-3D02-00000000B002}48966252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.555{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.555{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000082905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.383{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.383{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.383{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.383{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.383{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.383{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.383{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.383{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000082870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000082867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000082865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.366{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.365{F172AD64-7884-63C6-3D02-00000000B002}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000082858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.220{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:24.219{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07275E21865A9FAB65FD402B5E18331F,SHA256=606B9AC530D52098A10714D4B77584B0CD0B559D4BB6A23673E21601EF8630E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:22.109{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50302-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000067960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:25.362{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4236D70D35CBE7F4391DBE08DCD8E68C,SHA256=B8A8BE26572648D9BF8CBCC1CE4468FB96FA6047778B0E287235EED8EACBC7CD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.810{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000083015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.810{F172AD64-7885-63C6-3F02-00000000B002}44046532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.794{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.794{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000083012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.653{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.653{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.653{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.653{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.653{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000082977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000082976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000082973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000082971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.638{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.639{F172AD64-7885-63C6-3F02-00000000B002}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000082964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.350{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.350{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE36D1257B88ACEC78FE1CA06B957A43,SHA256=FCBD239391CCBBE4E7F3B65B1854F5480F4829E9415302060853DFC608677165,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000082962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.347{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000082961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.347{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B81262CF49AD072585146B39297DB36,SHA256=28DA77059FD0D493926A9CCA709AB0A0DB0D01859CBD845046F12202244B3C19,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.220{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000082959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.220{F172AD64-7885-63C6-3E02-00000000B002}58165776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.220{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.220{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000082956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.063{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.063{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.063{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.063{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.063{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.063{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.063{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.063{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000082921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000082918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000082916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.048{F172AD64-7885-63C6-3E02-00000000B002}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:26.458{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B9159154D4F145A42D442A6982B548,SHA256=B3DF016F79263E4F9B84419EB28132A82EB8F8511951B958D4C31A86A1A6428B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.793{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.790{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.790{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000083068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.743{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.743{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C35AAFB5C3683104EE318A65D26006,SHA256=C2BD60BA9CBE8B629CCEEBA337D9DB188000AB01957330472645DC222A812116,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.743{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000083065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.743{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB6455A3618CC246922F374FD76C28B3,SHA256=5A0D8276AD637A71718A6A98B1F5AAC2B1173F7679FD30F9AC1E88A39516F27F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.634{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.634{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.634{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.634{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.634{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.634{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.634{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000083050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000083028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000083023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.618{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:26.619{F172AD64-7886-63C6-4002-00000000B002}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:27.542{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970704A1882C34DD0B65DFC8C89B49B4,SHA256=A4A36F59AC079D6E297166C917E5C4ACEE30C6009ACF883F2338F476CF3E7FEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:27.999{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 11241100x800000000000000083074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:27.824{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:27.824{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B517AF9882CE8D50A0B273F9C9CB80,SHA256=C23EC71E388B77ECDA2E1ABF3822A3E4AC96E3F865AE716EDAF69310D6C4E7C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:25.209{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49434-false10.0.1.12-8000- 23542300x800000000000000067963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:28.634{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F089E45C36B4A5E214CBC4509E4C7E38,SHA256=47D074872EA5FB2FB333783CFAD18E3C29B73BEE49893C94D90B49C1DC5B5255,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.869{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.869{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42602869347A4231DFFE9DCAE22D011,SHA256=F472E04D506E857C7C9C3AAB302F1C51929335C9F6155214E371331759B9AC8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.182{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.177{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.173{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.171{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.169{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.163{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.159{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.157{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.155{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.148{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.138{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.133{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.125{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.118{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.109{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.072{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.060{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.054{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.046{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.039{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:28.001{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 23542300x800000000000000067965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:29.943{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C37108D5ACFE7B32EFFB3305535CBCA,SHA256=DC1C96A35CE20D562801579DBD06A7E544A004FAEA2A07D37A3870AF5B8465E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:29.979{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:29.979{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E591B1C428624DB89E9E9757160B1A5,SHA256=37B376CA2C047FE47D558D41080A0FD0A78E3445367AFFFFD9EA06E50242392A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:28.098{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50303-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000083106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:30.674{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:30.672{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:30.238{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:30.234{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:30.228{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:30.214{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 23542300x800000000000000067966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:31.036{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6F3EF7B72DF5FC6850106E6FBF7599,SHA256=6D71D49F8CB93E714E11558A30F1913455EDCBB904B18D20DE79692AB67F7DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.564{F172AD64-6CE8-63C6-0D00-00000000B002}8922084C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.564{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.274{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.274{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.273{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.258{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.249{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.247{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.221{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.215{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.204{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.199{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.198{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.195{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.193{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.191{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.188{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.187{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.185{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000083111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.184{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 11241100x800000000000000083110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.054{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x800000000000000083109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.054{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.039{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:31.039{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374DC36D62E6C069557A300FC90B57B0,SHA256=5388D8EFB7F349BE7CC3452483BA60DF8E0D90222D6F5DBCC07A7432A2923016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:32.129{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D344D12D8D19597FF33DEADA029F57,SHA256=DEAE4720B85159A0A270ADF6CD5A0AF7EF11D42C6C5A26459B00C8DFAA4A562F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:30.260{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49436-false10.0.1.12-8000- 354300x800000000000000083133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:30.167{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49435-false10.0.1.12-8089- 11241100x800000000000000083132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.120{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.120{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19E41E000FAE9A2C85CC5E789232748,SHA256=C91AEF256392B820F403B0B0FE7BD7634A908AAED58D8E151C1463441F142810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.436{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.421{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.399{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.379{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.344{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.337{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.270{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.262{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.253{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.251{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.248{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.240{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.238{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.226{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 23542300x800000000000000067983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.224{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0093C581B37B9852277BE078DCEFD8,SHA256=8B6FBD7D919E5373F4BA56E12B04DF58833B0227CDCFBC93097F58C880273670,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.217{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.212{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.199{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.181{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000083142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.671{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CCA-63C6-0100-00000000B002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 734700x800000000000000083141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.671{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeC:\Windows\System32\NtlmShared.dll10.0.14393.5291 (rs1_release.220806-1444)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=3A44E9A10EBDD0D2746002CCC20CB441,SHA256=81279D12F880183167FC48BDB2245A37DEDD59089CB57FEC63286E5B31BE4B91,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x800000000000000083140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.671{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeC:\Windows\System32\msv1_0.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=AF9947AC936943B2B19A63E225DA132E,SHA256=CCF0E51F1255538BD183343D41912B426B3207807448FB8F10311B8A6013AA0E,IMPHASH=BCA5B616268D9E5FC12AB66DF3B96D6AtrueMicrosoft WindowsValid 10341000x800000000000000083139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.671{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.562{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.562{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000083136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.215{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.215{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92540B5252EB7971AA2A8E8073294B62,SHA256=1B85E53F59115349D293F37B188ABD5296B682A3C507E68D9003BB0F1BB8F548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.149{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.142{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.128{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.115{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.108{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.100{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.092{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.086{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000067968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.083{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 354300x800000000000000083157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.810{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49441-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 354300x800000000000000083156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.810{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49441-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 354300x800000000000000083155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.804{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49440-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49666- 354300x800000000000000083154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.804{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49440-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49666- 354300x800000000000000083153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.803{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49439-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local135epmap 354300x800000000000000083152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.803{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49439-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local135epmap 354300x800000000000000083151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.701{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49438-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000083150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.701{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49438-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000083149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.693{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49437-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000083148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:32.693{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49437-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local389ldap 11241100x800000000000000083147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:34.651{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000083146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:34.651{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=314DA9A889D648E661F0AAF26076AB0A,SHA256=0D7037F4963FB61C4D31FA52A8DAE528D0E793E5C4EFF45CB798D731B12387E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:34.620{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 11241100x800000000000000083144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:34.305{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:34.305{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7193BF07BA5ED9CD5A59ECFBBA191B,SHA256=545657F8E4F0BE7ADAC50B48252F2E12785D8A53C78C5CAAE996681F58C52C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:34.411{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1D12502ADCEC0D21663F24D0B02A34,SHA256=D84E96CA520106E7A556DA4A3523DF81910F084538B669A8AF2735C689A230FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:33.116{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50304-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 22542200x800000000000000083160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:33.675{F172AD64-6CE8-63C6-1500-00000000B002}1120win-dc-ctus-attack-range-141.attackrange.local0fe80::fc8c:e42c:7d3f:51d8;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 11241100x800000000000000083159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:35.387{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:35.387{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0499692D1F5F38824DA8E9157238407,SHA256=40FE7D3482AC05136BD0D0368E3DEEDF92BCED3BEFFBBE083077BEAB2923075E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:35.499{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DB3A53791CAF94DECAEDAB877CDFA9,SHA256=54C65470BAA4E41D149226310FE589A511824FF462802AE29EEAB48E7E83FA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:36.587{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D180132E4F0F3EB4CE36784030DC049A,SHA256=6B0197BC59C32F9D8061661A662B4ED38C8118C45225918A637DDDE8D98CBFA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:36.484{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:36.484{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1AA0901DE56BEF708811633BC7B401,SHA256=F282E25FA40B05B463142E2F8BEA82EC18356056B31698963FDD8B57F246BCCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:37.570{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:37.570{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D2022FD54242A62860A1E0A00A54B5,SHA256=180491F90674EA83113230B54C3D4B62977173583B2316B06863C8E986F1CC26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:37.011{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000068042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:38.301{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622750CA67960C12CE9D6DFBABC7708C,SHA256=BAC24563E9CF834DA0E047A016B13DCC0973095F63FAD750DCAB9CB37502E640,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:38.660{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:38.660{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B342BE6BA2DA79C89F9B3A28294B69,SHA256=4AB5B0CD23F9B5EAD7861CD741ADB946AEE2D1F36F346B598317B6D41B0AA8E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:36.243{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49442-false10.0.1.12-8000- 11241100x800000000000000083169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:39.756{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:39.756{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7299F2763C099FA029317855AB7588,SHA256=0B505B7AAD58AEEF49FB4C835D8E5E0D860B0C7B415661AB909924A0266D2442,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:38.184{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50305-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:39.464{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504B3741074A9EC42E864AFF2C3217B9,SHA256=C8A2AB3BA55E96E3251F5F78BD195F80E8269AAF0816A54CC12385FD8F76C845,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:40.861{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:40.861{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69103E5714F66D8DC631BF33A9CE3A0B,SHA256=3F6DCA9D1353221FA7D034AFD2040B7D24D3374E4AF34854A1FFA0CE79939282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:40.556{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FD3145515373C93A7E333683155478,SHA256=0BCD1D3FD0551978D5B86D2C95F91F4273AF4A0125827B568607532EF20CEAF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:41.953{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:41.953{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07499D5375B292BBE73190EB2B90CD5F,SHA256=60D711D380F13B3F41C581F6F1BF9F4A7F9222E637C1DEEB1EE20A096E13CCE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.863{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.863{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.863{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.863{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.861{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.861{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.860{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.860{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.858{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.858{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000068046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:41.654{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5DCC7F5097F10A086FD6ABD51FA78D,SHA256=97E7DE9E243E6CB5CC09488AE2D976CAA1109C90379DD9950AF71C8A683B3F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:42.746{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B4388EC6BCAB4CAD978D99ED4F9ED9,SHA256=6AFA1BEBA7C75C0C0D6E4DD9C3CD528E2EF3E69E89293AD51365D46E1CBED696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:43.849{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FDD944A1B1F48D9D19DB6B93E54902,SHA256=5A3A7EFB0E8AC98D7BDF68250CC3E8F267A54EC5908CEF37ACAF91D1A661BBE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:43.052{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:43.052{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B49FB028C94C09C5E2BE5A939A314B,SHA256=4777147F6551CD8AD3A0F16F6013A0E0B740293C4831E5505A3DDCA3E3ACA8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:44.934{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8861CA1B36CA5A619E016CFFB7F3C622,SHA256=101A325B9C293DCB6D8012EFE13CDD6109E7B29241FABD5367BC024781629CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:42.195{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49443-false10.0.1.12-8000- 11241100x800000000000000083177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:44.147{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:44.147{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EDB81945DDB5DF94137A1A07FDB7BE,SHA256=A4B5FB51F9974F2D8CA946AFB0EBA2D81A08E7C26B1CC4BE584EA271AE61AD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:44.497{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1ADFC609988EC1865112DC4F6434493F,SHA256=9AA2A58BDFA697BDAF7C605C274B191865C47E39499FE75A859DA90AA6D4D853,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:45.577{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000083181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:45.577{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63FE674DC014173812BE0A18E5E24A8E,SHA256=D59D7ECFAF67114AE57346FF8D8EF24D33A905CB6C185CFCA00B3B6ABF2F9FF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:45.231{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:45.231{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054DB24807F3852DA6ACED4158B5D1B4,SHA256=E84E542A1FBBF03145830C948B0B0EEF2100761AD3C0436729045515B95B4CAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:46.311{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:46.311{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874414EB3EBE2CB0D18D129D8901B36F,SHA256=BDBEACCCCE87410A2285BAA612D831C04004CFE90D12B064E42DC9A4F6A427BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:44.051{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50306-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:46.027{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469BFB7CCF7E5ED27180AD674D65D58F,SHA256=6F9B372E5F264412E2B76B8A43161849101C57CFD616F2866DD06244AE53A26A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:47.399{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:47.399{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B718FB2A8607035095B53ACABE0527,SHA256=A0A8263C46033A23C83CBE08875EDE031A937D555916BE7D68F6CA558754C14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:47.217{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911DAF8D00022AEEF5F2D67679CB13D4,SHA256=D0E6F05A9997926BD0CBD294B6ED9417E56CB679C5EE98CD40AD27BA44B1CF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:48.316{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A697556DB383E99F54503BEA2483AE,SHA256=57315CCB89A7DC158C06FB3AB357D10B8C31014DB164AFDA7B1F460E3B7638A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.460{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.460{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A460F366F52D06E865F04C7F7956CFC2,SHA256=59F2CC79CF048276B10B055E8B0C2317B2909355E9F4FB4DADC9614BB1D9AC2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.209{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.206{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.200{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.199{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x800000000000000083205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.194{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:29:48.194 10341000x800000000000000083204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.194{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.185{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.181{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.180{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.178{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.173{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.163{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.158{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.151{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.145{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.137{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.098{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.089{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.081{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.072{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.062{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.024{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:48.021{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x800000000000000068065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:49.420{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53904AE45B18DD80150C2B13218C5D6,SHA256=9EA30E89D9E3C0ED09A74B75D45A73CAB19B2D933008567B7117DA7374E1DC1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:47.381{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49444-false10.0.1.12-8000- 11241100x800000000000000083213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:49.535{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:49.535{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926579D9BAF4BD48EE9BB17CCF96BF53,SHA256=768BAFA5AB810183E7D50A35C254E6ED5280C0DFFEB6BD69F531BCCCB3672E96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.803{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.800{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x800000000000000083240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.603{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.603{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5116C076B0ACDA1EDBD6119A0A691900,SHA256=C895734A92E70BAD265FED4C1A35AA73E2E42E52EDC29D7C7D968C93BCCE31DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:49.237{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50307-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:50.616{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA767FD11696D7637C08CA35942D3E9,SHA256=470F626B55437D2835CCCDF20964937476380588491E4FE538B6A1A19C0BB57B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.388{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.388{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.388{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.381{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000083234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.380{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000083233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.378{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000083232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.377{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000083231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.375{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000083230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.375{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000083229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.373{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.293{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.289{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.281{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:50.266{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 13241300x800000000000000083224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002e5eba) 13241300x800000000000000083222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a56-0x3ef635d5) 13241300x800000000000000083221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5e-0xa0ba9dd5) 13241300x800000000000000083220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a67-0x027f05d5) 13241300x800000000000000083219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002e5eba) 13241300x800000000000000083217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a56-0x3ef635d5) 13241300x800000000000000083216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5e-0xa0ba9dd5) 13241300x800000000000000083215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:29:50.062{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a67-0x027f05d5) 11241100x800000000000000083264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.771{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.771{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEFB97D7F4FD1BA86F181A50FDDFF9B,SHA256=70E6C8DCC9FC885AA41BBC761CC8D827EC1DC65044420F8165A7AFFABAE50244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:51.719{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06790946112AB7CA9C460852A4D4D814,SHA256=6B1D74516BD1445DF5116973B7DDF1230255F142394A6C727952B148AEE9364A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.567{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EF19F32F028E819A3EE87CED3536CE64,SHA256=2211CBD8001F954B272093BFE3D9101317B1F5F736CB644004B40E2CB4ED5F21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.391{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.391{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.390{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.376{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.367{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.365{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.341{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.336{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.325{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.321{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.320{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.318{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.316{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.314{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.312{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.311{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.309{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000083244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.308{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 734700x800000000000000083243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:51.131{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\sqmapi.dll10.0.14393.0 (rs1_release.160715-1616)SQM ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationsqmapi.dllMD5=D4EBE3E757147E481CF5077084FBB133,SHA256=177FC35DEA1DCE2F851BD94A76CD8C2FE5A91E49C596A0EB842F6AFFA702437E,IMPHASH=690EA16EFC3B778464AC42B8965A26C7trueMicrosoft WindowsValid 11241100x800000000000000083266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:52.852{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:52.852{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF51E774EF60CBD9F26622C0B241515D,SHA256=E353BD08DB92713CC487A8D177678D199DCB97823472900C6842292A94EA5187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:52.807{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988B691E4E4D62398EABAB63A41886AB,SHA256=71E4FFF6DBC0673C79D10C66169599BF1C34067BF29A75CDD480DC881B2DB0BC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:53.949{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:53.949{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0EB8B0E88F1C7B46E0029138098205,SHA256=545BCB1F4ACD3E16DEBE884A182C4617C272F1B1BECE5B9A966CA1B54083D3D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:53.448{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-17 09:39:52.340 23542300x800000000000000083269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:53.448{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=64B3DA85C4C79C0E898DB038C69B4CD6,SHA256=EA73C4527F472F0013CFCF7F1814DB8DA88D267B86C3B66DE568B4B280E42162,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:53.354{F172AD64-6CE8-63C6-1000-00000000B002}3563256C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:53.354{F172AD64-6CE8-63C6-1000-00000000B002}3563256C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.445{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.425{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.396{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.383{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.380{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.353{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.345{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.326{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.320{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.318{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.313{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.309{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.303{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.302{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.296{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.294{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.292{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.283{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.275{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.262{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.247{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.237{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.208{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.203{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.196{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.180{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.172{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.167{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.153{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.144{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.137{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.113{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:53.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000068109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:54.033{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD952A806EF71300937BEB5241D1E14D,SHA256=17AC92D805FC740F5A439BD2E71934141F54ED2B5F7E90B65E50EBA1BF433E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:55.093{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18EBD9D6494CC99F3E3D349DECB619D,SHA256=F4070FD0FF0E675E6B52FB7868A43746598326D0164A61D8F454AD9E3FD15683,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:55.893{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CCA-63C6-0100-00000000B002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 11241100x800000000000000083274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:55.048{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:55.048{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C87EA07C0D335314B3DD4040E2E57A2,SHA256=C6DDD9A6CCE3632A15B1B83BCD19C0F37CEDF9974EDBAA9D58CC08E216E44937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:56.191{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57380835BD028E7B5FED0E953C4F97A,SHA256=E5FBD9CB8B77A9F4292067E41798C2701076DCAFDB837A3C862F2E813BC2ACDA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:56.128{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:56.128{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E16AECEA0B3C1CCCB510472265C3333,SHA256=A2B35D9A14A0E4A9962F01038676FFAC03DCA8A1DC00919B7361046683F2A0EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:53.249{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49445-false10.0.1.12-8000- 10341000x800000000000000068114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:56.015{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:56.015{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:56.015{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6204072C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:55.999{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000068117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:57.295{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEE444631986C26860ED3B77A93AB53,SHA256=585BAC6E1306B36807BA128500496C08DE20A3DD784ACB00CE36C9B76DD5F27C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:57.229{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:57.229{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A756D8A10EDFD22FED6D2589B16C3A4,SHA256=F3F00C49EFE33A9CF87AC13A72D66F26A33C47743321D350869027CF3D5E47C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:55.133{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50308-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000083280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:57.010{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000083279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:57.010{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FDDE8D27AC0F29850BF00BE6653851A,SHA256=2C6C415AC4D2606ACB6F6689A2C9E2B5CCFFB8C6D37D20EB002F4F3485DFCAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:58.371{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D63385575D295A5F54FECFB6C5C47E,SHA256=655099F770FCBABAF7F4CD72E548562FC0396E1CF9269CA365F039A8DE980DBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:58.317{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:58.317{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B7F24B97A02A0987729D5ADC8DA221,SHA256=27564F307E711D6A9AD19BCAC9AAA38D8B8300C056F862C52F9A230B82D4DBE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:55.022{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49446-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 354300x800000000000000083283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:55.022{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49446-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 23542300x800000000000000068120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:59.616{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:59.467{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F086031F00FBCB4B89BA22B0C6DBB75F,SHA256=41865F2F6DB4B93502E98C9E00AED7B38C9E505845FCA7D26AEEC0279F6E761C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:59.415{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:59.415{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAFE6BF33093EBCF65BB95FB4698645,SHA256=A3E6DF34124089ACFA48EDE2DB6FD8F9678806517AA4772353D1FDFA07EEB835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:00.558{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808730ED499F9A1D8B834B6A47E38D28,SHA256=2AFF1A1BB2A26982343A3E90CFDDE53F054143F4484A8F1B04F4F2A47EBE0AD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:29:58.275{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49447-false10.0.1.12-8000- 11241100x800000000000000083290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:00.515{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:00.515{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15701FF45759733FEFD32FA7842D19F5,SHA256=5BC37148FDF804842D14BECDBB6CF054C0F208646B7E6AD18F99312350E56F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:00.353{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C091297468A694A2F43D3DD2C8B54335,SHA256=935FEFDAEB8057F11FCC541235ED26BA73408DF2A6B1725FA83B6C20F9EB907E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:01.761{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02341201BAB1D5C2A246A18BE559E48E,SHA256=09D4B3A9C3ED833980D33012A0E69FB26A9412739A12D55202BA4352C010F4CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:01.617{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:01.617{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF7A96BABC58DB226DCCBDD501DAE7E,SHA256=21339933FEEA8859563A7BBB65CBFCF41A147C22751956A07341803D3723B5D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:29:59.594{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50309-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000068126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:02.848{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8356FE7A73FE9BBE16C535D94C28EE,SHA256=138112979B43862B5F43736845096ECEFB125A041AEB85EE2581E59706C461E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:02.824{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:02.824{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144C349D45FEE66740811DB279ECCD59,SHA256=3DDE420286318CC0DE9EFC5D01D33C2A3BDE17260A14EE6A2BFAE452C4969D7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:00.188{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50310-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:03.934{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6864257F55BA8E9E9786B534061AF6C,SHA256=054157E2529777992275A77A4FAE9E7B78CCDDA0AA687E5F1B2D3AF2D7E232DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:03.924{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:03.924{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E0F36789402FCD89B933DB1CAC6D67,SHA256=46E38CEFDB6CBF66955A7D026317EF180D0A5AE5C40329841BD0EED01387EE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:05.035{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93A6F7C570716A67A5458E82E4E83AE,SHA256=C4A2688B0E279C9EBF3EAF1CCDAC5606151A9E860BEFF02B9F5CC4257D00AF4C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:05.019{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:05.019{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4D30FA2A751302F40478ECEC578A61,SHA256=2ED27CA9C8CAC66406C5D660196B29EE40F1B385504174FCACE8F1D554D8A265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:06.126{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975CDF948FB0DAD2850C77F5FB60CA62,SHA256=B51BDA3B041B6C9BCCAC386730B2F26727FF84F1D184F529CCA99801CAC96567,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:06.109{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:06.109{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4606AAE0FCA4BD242FA2F0CF2211847,SHA256=B587CDE1D4B06B7991E48B01C7B7A06C4A22D6D42E342CA6FC5F5FA8D15F4AB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:06.135{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50311-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:07.218{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C9D971DE52EB39176D5BBB99177184,SHA256=64BECE81D198AD1C2037E8588780E2543FC5E3718EFA5F998361BBC42C50530D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:07.997{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 11241100x800000000000000083305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:07.751{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000083304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:07.751{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B995376E66BC84E5A682248EBEC696,SHA256=DA851E1CB516C48EC40D32720DC0D7F2EC24DDFDAE67CA54257D450F4C9AA83B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:07.207{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:07.206{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A33D500AE9467BAA59E954F28100976,SHA256=9530D88F15503D6A71E564B50AC4BA34B0713BA2C47B8A2F699AFB68CD54DC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:08.314{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD10CE1CD4305642EC6322DAC677B47E,SHA256=4D5261A50E6445F9DC109778E120B759AD27F584A89FA3D2A02ACB52B17CAED1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.392{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.392{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11F3C40FC7B2145251E92C160B31872,SHA256=9D7AD0D0414225175A497A4354BBE5F533ADDC9C84CB1009C064BF0031D87817,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.234{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.231{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.226{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.223{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.221{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.212{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.207{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.206{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 354300x800000000000000083320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:04.257{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49448-false10.0.1.12-8000- 10341000x800000000000000083319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.201{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.194{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.174{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.167{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.157{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.144{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.131{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.094{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.079{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.070{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.061{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.051{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:08.000{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000068133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:09.408{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AED4AE05628D8CB65BEBB876F06ACEE,SHA256=A0F36926E956F8CA76C058D79943D4314B4417D4B9CDEB3192EF83F59971B336,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:09.611{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:09.611{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A479F3B987C255EFA16213D768A353CB,SHA256=2D2F4F5DC154B35FA638E9486B64E555E5060453B1EB69BB11054E8FB367AE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:10.508{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7214429594DA71945D905797C508E65D,SHA256=C57F0480F8D1ABC3F3A8FA44203D90B773885BD3215BBA876ED0A0BDF5ACA00A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.853{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.852{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 11241100x800000000000000083338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.668{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.667{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2408E0AF4DC6D0962BA31FB1E0838416,SHA256=FB38AE7CBFB710C4ED4932A8B3AE4369E1C878FEE840C8CE213D8FB619798912,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.286{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.282{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.277{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.263{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000068135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:11.608{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509FB9BE0ADDAF57CE5F0D3081FB75FA,SHA256=4386E8BAB55E9C09300B093F7E2ECCFD394697FBA4ABAEAB8228B464028252E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.726{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.726{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AE1901F20193B494C5A58E63ED0AB3,SHA256=C0AE35BFB8006A70DF4838676AAE38CE033A5E795319A4167C7A59EBE83C1848,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.455{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.455{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.454{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.440{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.431{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.429{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.406{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.400{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.388{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.384{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.383{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.381{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.378{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.376{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.374{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.373{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.371{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000083341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:11.370{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000068149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.704{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52CF0763D70CDFB89E303F3702C97CB,SHA256=B3193ECD63FA3AA3E533A979EAB431A56B605CC33692D0965D7C88D3D93D3089,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:12.830{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:12.830{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656622F13A8BAB72DFF8C50D6AE122EF,SHA256=2EE069C96FB9DC7E87106DD36B08FC2A6FFA670E604F3455758D7CCEB48AC4C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78B4-63C6-3B02-00000000B102}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-78B4-63C6-3B02-00000000B102}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78B4-63C6-3B02-00000000B102}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.376{F6EEFE7F-78B4-63C6-3B02-00000000B102}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.938{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FA77BCD41E07005DB45DED23B0BF18,SHA256=D3125D68F4E1FF1109FD42B23BE2E698B6F0DE6610B9D8CA399E1B4BD1C4DE30,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:13.930{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:13.930{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F1AB21CA2C4EDFE510D9BC9856D35C,SHA256=6B27107EB2250DEF14E4F4565D227E4887A500765FDBF9A2F31F74497D916814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.493{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.481{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.447{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000068187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.440{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B57C7481060FC88468FD867C4D529A8,SHA256=2E36FEDC56240557F09C8AB0F3D82FFA447DD0518AD2AA663C28032C15B13864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.430{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.428{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.392{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.385{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.367{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.359{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.354{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.328{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.315{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.313{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.292{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.283{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.271{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.242{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.240{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000068163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.239{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6668860C0D0D397E385AAE7A66192847,SHA256=5AFDE69D62FC8916B0BC29A68DE95B1D78271E2373A2C7C27A9C9BC4713BD7FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.214{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.206{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.174{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.168{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.160{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.144{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.130{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.111{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.094{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000068150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:13.092{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 354300x800000000000000083363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:10.233{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49449-false10.0.1.12-8000- 10341000x800000000000000068221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-78B6-63C6-3D02-00000000B102}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78B6-63C6-3D02-00000000B102}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.990{F6EEFE7F-78B6-63C6-3D02-00000000B102}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.661{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=65FF274B129E4091A5DE9D18EC4051EF,SHA256=357E30E5FC2826761980B662EBAFBF2A8A6088D29DBB3FB7FC66770192613E90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:12.039{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50312-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000068207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.348{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78B6-63C6-3C02-00000000B102}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.348{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78B6-63C6-3C02-00000000B102}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.348{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78B6-63C6-3C02-00000000B102}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78B6-63C6-3C02-00000000B102}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-78B6-63C6-3C02-00000000B102}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78B6-63C6-3C02-00000000B102}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.318{F6EEFE7F-78B6-63C6-3C02-00000000B102}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:15.435{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-048MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:15.176{F6EEFE7F-78B6-63C6-3D02-00000000B102}39723620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000068223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:15.004{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D406C4B22ED938FE3F1CD307883528D,SHA256=8239D92950CD43B4188E2D99C653561743E250EEA80935C190CA4E7ABD9D682F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:14.989{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78B6-63C6-3D02-00000000B102}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000083367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:15.028{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:15.028{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4344AFA898D6F510101E03336D4F5B31,SHA256=9EB1E17070959C58B45DD2BCC3AB51C6833554467E28D04717BDA449F9D8AD83,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:16.105{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:16.105{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53BB9CFF17782A5C6605F46A0672028,SHA256=FAFEBECAE1227339F8F26A747DD67B8B3C6A54D6526BEB47A5ED0D57A2E289D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.439{F6EEFE7F-78B8-63C6-3E02-00000000B102}53002236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.435{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78B8-63C6-3E02-00000000B102}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.435{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78B8-63C6-3E02-00000000B102}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.435{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78B8-63C6-3E02-00000000B102}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000068240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.433{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78B8-63C6-3E02-00000000B102}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-78B8-63C6-3E02-00000000B102}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.218{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78B8-63C6-3E02-00000000B102}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.219{F6EEFE7F-78B8-63C6-3E02-00000000B102}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:16.093{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB763526E43702CAFD111329494FB4F7,SHA256=8E1888F65FD9588E4F61BB1032C04BB9A9FBAB63753F0DBB3D1ED7BB34B1F116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78B9-63C6-4002-00000000B102}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-78B9-63C6-4002-00000000B102}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.870{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78B9-63C6-4002-00000000B102}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.871{F6EEFE7F-78B9-63C6-4002-00000000B102}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000068259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.413{F6EEFE7F-78B9-63C6-3F02-00000000B102}53884728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78B9-63C6-3F02-00000000B102}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-78B9-63C6-3F02-00000000B102}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.205{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78B9-63C6-3F02-00000000B102}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.207{F6EEFE7F-78B9-63C6-3F02-00000000B102}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.158{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2CF136CE8B2F47F10637A42E59292F,SHA256=F50B6F2F02D7709F0B139C0A03CEB041A32F1F687EC0BFB817BF321511827A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:15.264{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49450-false10.0.1.12-8000- 11241100x800000000000000083371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:17.192{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:17.192{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4725F459CE7637F0FF0092AEC0D8BD,SHA256=70913D237DBC41C7637616BF73B04C857F183A56FD80AEBEB38B78154A75ED7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:17.041{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50313-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:18.372{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9891716B315EFB920F6D8F2F1A218A,SHA256=52ACB9D5B0B17D7031A735132E5A7A3CD2F86FD1A2A32FC072D65AFCBD39EED5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:18.289{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:18.289{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6B60C01F3361B60B2C091343962D78,SHA256=9D9643605859D5FAA51F7272C8E3BA9F68BFD21780564E42E1E61D22B37B71F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:18.193{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:30:18.193 10341000x800000000000000068273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:18.058{F6EEFE7F-78B9-63C6-4002-00000000B102}996936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.486{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78BB-63C6-4102-00000000B102}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.486{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78BB-63C6-4102-00000000B102}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.486{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78BB-63C6-4102-00000000B102}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000068290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.463{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0ABF38576ACCB15591DDB115444578,SHA256=09DA643C83A19449E6CE0D040CEF576334EC2EBFFFF38862DE46C45AD0FC3531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.463{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78BB-63C6-4102-00000000B102}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.462{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.462{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.462{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.462{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.460{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-78BB-63C6-4102-00000000B102}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.460{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78BB-63C6-4102-00000000B102}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.460{F6EEFE7F-78BB-63C6-4102-00000000B102}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000083377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:19.279{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:19.279{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A4A7D44F142ACA5D9CC34BE599FD18,SHA256=9094B0AE7B09ACE403BA6A27D784DE92932600B3B07D67179E7AF09F59B2D837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:19.019{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3865EF0DD6CAA30B8C1856C252399156,SHA256=B65A7769734CA0F9C8BBF782D9D8E90905E093B21E6E15AF4FF739FD0046819E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:20.565{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6188ADA4439B107D9E268CF2CC7063,SHA256=25391202ED6FC7B7C9BD1619981E3BA240EA2C70074293D113BA847236BAD57E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.813{F172AD64-78BC-63C6-4202-00000000B002}58924532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.813{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.813{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000083480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.751{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.751{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50E945EBA0954CB120A82CBAF9B884E,SHA256=43561008231612C2C246C62569E64A7849E7641E5E5C3A42BF2AB5375EA09D50,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.751{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000083477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.751{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DBB44A9709F6DBC6489E3FD9005518C9,SHA256=4E59CF2497E172C0D7A1ECAE682D2DD818DB06F39EA0A2A680407980753B485D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.671{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000083440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000083435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.655{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.656{F172AD64-78BC-63C6-4202-00000000B002}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000083428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.222{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.222{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.206{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000083425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.034{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.034{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.034{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.034{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.034{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.034{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.034{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.034{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x800000000000000083389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000083384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.018{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.019{F172AD64-78BC-63C6-4102-00000000B002}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:21.767{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855E70E34069FE1E24549FCC5D73F608,SHA256=4FFEC807A8A4228DC9DA18168CA1D2ED5AB791F199D5EF99955A92A4196183C0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.962{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.962{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.962{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.962{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.947{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.947{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.947{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.947{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000083531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000083529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000083528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000083504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000083503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000083500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000083496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000083494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.931{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.932{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.743{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8C1AD6CEF8C2EA100B9F3048C319086D,SHA256=14A2E88BA5B015E4EB4D273327EADF091B0F660E289C0381113B9EFA9F30A19D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.712{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.712{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A70E72016E4AE7E69D3D5818DFBF9D,SHA256=8E863FB4254DE220218754E11EAE78914C1970466399F043D5DE1F5EAA2CD638,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.126{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000083484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.126{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA2552D76B584BEF7C249D6A98C0C395,SHA256=AF81498D5F2D86037724DAA6C50D4E27AB57177A05E21E05E10DE6388E2C6664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:22.862{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72106397E2C12DE8561B2BC39C1F82B3,SHA256=0914B5DDA9AD4476426F0809736F521B6BEFC9CE18402E0BD569BCAF4CDD5705,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:22.836{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:22.836{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817EEB72D4C3F2464FAAD4BB1BF3AFB8,SHA256=F5A1C5EBEE44CB6A8F0A6489AB177C4D332754DD672CEFA22259F4A4158832A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:22.377{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-048MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:22.376{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0482023-01-17 10:30:22.376 11241100x800000000000000083544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:22.375{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0492023-01-17 10:30:22.375 734700x800000000000000083543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:22.140{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:22.140{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:22.140{F172AD64-78BD-63C6-4302-00000000B002}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000068298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:23.966{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24813B495B8FD597B506BFA650392E0C,SHA256=2EDF28DC004C7EA8DC4C76F04B853D602424858674133B0AAD69035AA304D05A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:22.119{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50314-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000083551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.735{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49451-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000083550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:20.735{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49451-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 23542300x800000000000000083549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:23.389{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.889{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.889{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.889{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.889{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.889{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.889{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.889{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000083618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000083613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.873{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.874{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000083606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.614{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000083605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.614{F172AD64-78C0-63C6-4402-00000000B002}62647092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.614{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.614{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000083602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:21.219{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49452-false10.0.1.12-8000- 734700x800000000000000083601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.395{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.395{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.395{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.395{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.395{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.395{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.395{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.395{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000083566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000083565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000083560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.380{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.381{F172AD64-78C0-63C6-4402-00000000B002}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000083553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.015{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:24.015{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BAE1DDC243D0D6750F210CE8D24176,SHA256=B40D1AA89A9ADF22B9F0DB02F025F9CD142CCD00B4376FAF424080BF15AC9F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:25.056{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040ED9C10B5C5A92976F628DC6CF00C7,SHA256=B391C00FA08B0FADC7F2AB41891B18D5F1EE3C76FC89BAEF902D4EEFBF91EAEC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.669{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000083711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.669{F172AD64-78C1-63C6-4602-00000000B002}44245488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.669{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.653{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000083708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.528{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.528{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.528{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.528{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.528{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.528{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.528{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.528{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000083673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000083668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.513{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.514{F172AD64-78C1-63C6-4602-00000000B002}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000083661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.363{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.362{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEE6F7BE686AED901C33CAD341D7976,SHA256=1244375C2ECB6932E774FB918A8F6BC878A21D174FD2A23BB190AD03BE0C43C7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.139{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000083658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.139{F172AD64-78C0-63C6-4502-00000000B002}25486864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.139{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.139{F172AD64-78C0-63C6-4502-00000000B002}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000083655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.108{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:25.108{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A760FC05A2D792A0F9AC8B69E5795EE,SHA256=2601E5B921315054C88F98CEE65E07043A713BCC23CEEEA73DE7B6328351C8F8,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.828{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x800000000000000068300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:26.160{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C963E4794AFF781A50952E2C00D3F238,SHA256=3F36683D52183118879D354D523EA00DB7FACB05984C53010B87AAE86BFD5E43,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.826{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.825{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000083770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.811{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000083769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.811{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000083768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.811{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000083767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.810{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000083766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.810{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000083765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.810{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000083764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 11241100x800000000000000083760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000083759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 23542300x800000000000000083758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2031834A3B2C0D568B4D8FABF986A5A3,SHA256=45FAEC5CE9E2A4FA8B439F10DC67F4193FC7AFA30D4ED82EC7B06B58DFBCD4CE,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 11241100x800000000000000083755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000083754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.634{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F4E97DC538FB46AC2FD4484BFABAAFF,SHA256=0E4EE5686CDB983D3D3176BA58B5C619A55D517D98D93221CEACA44CFA1E80E2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000083745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000083724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000083719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.618{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.619{F172AD64-78C2-63C6-4702-00000000B002}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:27.996{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 11241100x800000000000000083777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:27.769{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:27.769{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B36C6CCF1CDE5914BF9A5E59015F1BB,SHA256=F4C710DDE1CBA66911B151F17B4725F724087E75D6AAF719BEE567E0D91B016E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:27.240{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF303608B79B521AF46F5F87BD2CBF9,SHA256=C2DDFFA4DD4EE22941291C8C27CD8ABD453E824983647DA0A0F573C0B0F2C43B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:27.095{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:27.095{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2A72BEE34F510A8E6B7DC9E3010063,SHA256=8EC65570C9CFCDE82C54C420DE5E647B8C009120CA24EB50EFE24FC5256D83B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.845{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.845{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0EBE4427D52186CFD50883E92FE0B5,SHA256=F80DF602C9A9B00D423134FB9246D2AA5180EDA44CD14DC849E4A20EE9AF9F9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:27.233{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50315-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:28.444{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB627B1E9D559D1C20DBFCD06A24400E,SHA256=5773256012EE17E07380F0E90099A11CFA8AAD24A2043FD7EC940C2FAA15F688,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.159{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.156{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.151{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.149{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.148{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.142{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.138{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.137{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.135{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.128{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.118{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.114{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.107{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.099{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.092{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.063{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.054{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.048{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.039{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:28.033{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:27.999{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 11241100x800000000000000083804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:29.953{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:29.953{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F97F12E5D1CB1DF0D30860A3141908B,SHA256=031A996256E86FDE3BC42851895F30CAC4AEB4733CA28285F5DF53B0D5B9919B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:29.538{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAA2B166FA5803BA01FD08EB50860C2,SHA256=83DD4697229EB8C7C59F039112F71EB980DC8EBF3C59161AC04EF31BF552A1CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:26.347{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49453-false10.0.1.12-8000- 23542300x800000000000000068305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:30.737{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3600B6B28F326F2A0DA6208091402B03,SHA256=D6169B70CEEF8003D439A12E45ED1F586CA387495828AA8C1845C530ED359319,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:30.693{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:30.692{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:30.213{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:30.209{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:30.203{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:30.188{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x800000000000000068306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:31.827{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40EBEFC1CBC5CA522F057B5520BD311,SHA256=CD0AC55143607B170F802679726DECFAD99DD816747AF11D1E2C46E98A61D5E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.304{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.304{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.302{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.287{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.277{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.274{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.252{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.246{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.228{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.222{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.220{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.216{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.213{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.211{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.208{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.207{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.203{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.202{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 11241100x800000000000000083814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.074{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x800000000000000083813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.074{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.012{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:31.012{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DE94D049AA1A87F223C16A8E62D37F,SHA256=876B170B6FA6F50AD8A6F42971F4A6C0072E96644376EB8782E5D8F0F41B25F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:30.186{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49454-false10.0.1.12-8089- 11241100x800000000000000083834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:32.090{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:32.089{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF86E7FD6197B44ACC8E9EE62B4F918,SHA256=5ECF2C2CA3761CAC63DB08AE76B6A70C5E13DBD8F4BFC9223A2D5961D39C9688,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:32.233{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50316-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000068346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.447{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.436{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.406{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.388{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.385{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.358{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.350{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.332{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.324{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.321{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.314{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.312{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.303{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.301{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.273{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.265{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.258{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.251{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.248{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.235{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.228{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.199{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.187{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.169{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.132{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.125{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.117{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.106{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.099{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.093{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 23542300x800000000000000068307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:33.030{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9901D3A41598DD49EA6D316A32EE593B,SHA256=4551F48008BD6FAB4C17D385616656A950D4C09DB19BE5C1BAACF216FA75D1BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:33.192{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:33.192{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF87E390EAB94A299E533F309756555B,SHA256=3F7AADD310B027074CADCBE65BC2E3CED3F0A5BD0F16FDDDB2B9EAA7A284F886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:34.448{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B82D8FE742B0035F4D8CA9C36E37B0C,SHA256=FE28C64B2C9C93BD207E887C7D841652917D2B3112D95E896759D356C65F82EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:32.179{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49455-false10.0.1.12-8000- 11241100x800000000000000083839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:34.285{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:34.285{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EDCE9EBB56A1A7D31ABC284FCA2EB0,SHA256=79CC82717BE618189CF0BB920B8FD6D9B9A92A46D88C9CB1C312D999CDE52339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:35.536{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8556DF5AF467D1DC207C7DB9114F5518,SHA256=CC75476E03D66F192EF5D01E683B6B0245C373B777EB6154C16783A6D64999C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.436{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000083842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.358{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:35.358{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDA1553384F1FDA841AF32EC3B039F6,SHA256=3703DC25532EF9E4C2E735E47363F2579E805FA98B7C3592DD661277934CEAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:36.623{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192CFC6539E7320F47AE02A2B0D80975,SHA256=2A02DF73670E4D89E88F6E57CB9AD840E4A2CB3EE0D37D42B784D30D868F0AF3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:36.640{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:36.640{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D93898044D4D10BDF3F2B514910215A,SHA256=4AEC1C07F8005BEBF8B59BCB55B650C7E56BA99D82281EE7C627AE6D97B855DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:37.713{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C69B9599D5E29460EA0A43C2D57545,SHA256=317121FA70B8955F94CE5F03F870F6E6D71A18F603B1415FD17F3BEEB7422BED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:37.678{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:37.678{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697A576D2FF6DD1A47F472A40E22F618,SHA256=455D470580296B9ED59CCF129676121FD142C7F392BF6ED586AC47E09091FE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:38.805{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF768395CB723BF3D48AF6B854D15E19,SHA256=0F4923C44A73AC71F83508982296B7D2BDC14A9E10824BE87A184505EC8082EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:38.868{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:38.868{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B62F75CF14C26D650629122AFC126E4,SHA256=8704EF8F81C8557CA18E1C901FFBF272F0A8B61DDE8C79C781788B0F4EDCEF6D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:39.969{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:39.969{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328673E56107FED1347C9817F4792577,SHA256=F994FE5EE02A8B2126474BB673E0BE9E47A1F857CC43CB562990E7265B38722B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:38.123{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50317-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:40.009{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05232D19D6B759D3FA921B5F1AC09F34,SHA256=8BB1F4A438BCCF144713D7595B85F82DFF16FDF4859D284349E96E28559B40FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:37.383{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49456-false10.0.1.12-8000- 23542300x800000000000000068355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:41.112{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EC3D2AE33750DBDB826479662CBCDA,SHA256=614709858D01EB76A11657736BEC69B91ED3E1244D9B9B1D3A16AF0A8B420509,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:41.060{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:41.060{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C353EA96086B01DAEC0B6957E6A2DDEC,SHA256=D757DB56C22F4587C831B9FADD0555E4D9652264AE0EFD4BB5BD392B66A7078E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:42.208{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3EE8FFC72DD70A66D9A7AEB853A44D,SHA256=2E5D12F0D74ACEEFD0E2C82BF27B886BACDFE548F376603D866102E877D87EAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:42.154{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:42.154{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD205E6266CDCF06F78DD5DCAAB740A,SHA256=858DAF96C0186662419D555B0B27D597D1E7ABF2748C2E6C790EB7D133490094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:43.842{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=19B29E84E03B60ACF52BE27495FB42A2,SHA256=97884A1C83524BA534B7EDD2DA120D9507EAED7371D4D9FAEBBC3FA1E61FCD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:43.311{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C65CA897CB7BAF783C2A095966A4379,SHA256=60EB30B101456BF0FF131303EB180B569EB766218A0AFCD4570C0EDCE43701CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:43.254{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:43.254{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6811096F751EFA624390CEDC1A0AC24C,SHA256=88BA2242F335BC63DE778EECEA5AFF633AA7355DFFAE26DB6BE73C3406EE0729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.388{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134DBFDAAF1ED57AE9EEC9BE07015C0D,SHA256=BF9BA5CF63CD5869A539468538AEBC36F73595036A29F05F6BA274C8C0C15299,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000083894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:44.352{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:44.352{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69DC222E3D814C5C66C7099EF8EB909,SHA256=D752B7D3B06DEFCFFA0D9156E80A406A0F5B371259ED6EED9E3C849DD35E17CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0A00-00000000B102}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.283{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:44.283{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000068371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:45.475{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7619A125E5125D69628838FF7365470E,SHA256=DAB07620B0966ACCE0C439D8CCC64A91675C851C6D0782F67FE907ADC3D06378,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:43.150{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49457-false10.0.1.12-8000- 11241100x800000000000000083896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:45.438{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:45.438{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D1BDDD18CC959FFE243E6EF4618976,SHA256=DA01B1CCE40E5875A5B730FE3E6E4D5A51DE15E61CE6BFC268A9C0EC2392179D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:43.221{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50318-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:46.560{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8E9741732C243BC17E9287102C509B,SHA256=3C6EF0B869AC64B0692E5B8303BFD5544C9FD4BF5433CB7D6B63772DA3618C72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.970{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.970{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.970{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000083909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.536{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.536{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B3C1E94A85639686BEC40C7B630BA6,SHA256=D24A6264C68F85420A9812ED860088BD2698D7FF3F140864CD5CEB3C0D81C8E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000083907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:30:46.128{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 11241100x800000000000000083906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.128{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML.TMP2023-01-17 10:30:46.128 13241300x800000000000000083905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:30:46.128{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D769BB51-6658-4EA8-AE97-39FC12592D5B\Config SourceDWORD (0x00000001) 13241300x800000000000000083904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:30:46.128{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D769BB51-6658-4EA8-AE97-39FC12592D5B\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D769BB51-6658-4EA8-AE97-39FC12592D5B.XML 11241100x800000000000000083903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.128{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_D769BB51-6658-4EA8-AE97-39FC12592D5B.XML.TMP2023-01-17 10:30:46.128 10341000x800000000000000083902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.112{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.112{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.050{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 734700x800000000000000083899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.034{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20,IMPHASH=D1267CC8F49B54A66A0034D2C4452E93trueMicrosoft WindowsValid 734700x800000000000000083898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.018{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6A,IMPHASH=52DBB027F849F4DB11CB3C2B56C0E9FBtrueMicrosoft WindowsValid 23542300x800000000000000068373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:47.771{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52C1BDB97D18FA6983BA7503DEDD8BB,SHA256=1B12F890F2444F481B69E0FA77915D89093BFDFE80455EA811B1B045FA50499A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:47.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:47.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:47.815{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:47.815{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:47.815{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000083914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:47.628{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000083913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:47.628{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DAAB9F34BD7B79A5BCE80B4DC4DC82,SHA256=E2ABEBB977587AD98D8CFA42657F4948363F9B11599502FDE2100CF5B9BF77BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:48.868{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7F89E128278E50B5CF7D19DA994FCA,SHA256=98FBD72C52FD2AC0CC743DF91C76EDD677D38459D766465FA0BA5A789F9573B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.787{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.787{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.787{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000084014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.721{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.721{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F27DB2CC5CB4DBB65E3671C8145704,SHA256=2B3501025FBA6ED5A9D41DA9786C7781D67DDB590193573C9C562CF44E81302F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.690{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.690{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E81B0EA3D7DDE0B39699F4384C5472,SHA256=C3B1AC3F86E18EA9E192F02DF8E590FD70737CFFA147B213FEEF455EBB58A29E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.611{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.533{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 10341000x800000000000000084008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.580{F172AD64-7634-63C6-B901-00000000B002}49005000C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.580{F172AD64-7634-63C6-B901-00000000B002}49005000C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.580{F172AD64-7634-63C6-B901-00000000B002}49005000C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.580{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.580{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.580{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.565{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.565{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.565{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.565{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.565{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.565{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.565{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.549{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 11241100x800000000000000083994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.549{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads2023-01-17 10:30:48.549 734700x800000000000000083993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.549{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x800000000000000083992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.549{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.471{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7z.dll22.017z Plugin7-ZipIgor Pavlov7z.dllMD5=BBF51226A8670475F283A2D57460D46C,SHA256=73578F14D50F747EFA82527A503F1AD542F9DB170E2901EDDB54D6BCE93FC00E,IMPHASH=4A683D6F78CDDF7C7CDA44D5A4669025false-Unavailable 734700x800000000000000083990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.486{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000083989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.486{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.486{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x800000000000000083987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.455{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.455{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.455{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.455{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.455{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000083982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exeMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7false-Unavailable 734700x800000000000000083981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000083980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000083976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000083972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000083971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000083970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000083968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000083966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000083965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000083957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.440{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x800000000000000083956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000083954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000083953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.424{F172AD64-7634-63C6-B901-00000000B002}49006296C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x800000000000000083947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.417{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap21809:76:7zEvent23642C:\Windows\system32\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000083946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.264{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.260{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.256{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.252{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.249{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.240{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.235{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.232{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.226{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.214{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.194{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000083935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.188{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:30:48.188 10341000x800000000000000083934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.185{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.172{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.154{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.135{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.106{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.083{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.076{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.068{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000083926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.061{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000083925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.060{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000083924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.060{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D677FC0776C499F8A03DB2F7CFFC2686,SHA256=585E9F3B5BD8FDDFC5E7A35D2E8464C68DF0CE2F494BA1EBBF1C2574CAAE656B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.015{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000083922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.006{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 354300x800000000000000083921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:45.242{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49458-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local135epmap 354300x800000000000000083920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:45.242{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49458-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local135epmap 11241100x800000000000000084023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:49.792{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:49.792{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CF38C1970074C1F09B5D3032DFAD86,SHA256=0487295F0AF95DEA926B4D4440B065A5A36413188BB760DD52DEFFB2F3150C9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.941{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49460-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000084020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.941{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49460-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000084019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49459-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000084018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:46.097{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49459-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 11241100x800000000000000084044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.849{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.849{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2ECB9FDCD30EA5E8A58B4365F742A2E,SHA256=8D87EE2E3C401AD2E61F5EDA7BC46A73EDD0F10E936A9950B9F3990C1BD24978,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:48.232{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50319-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:50.070{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE9FE2CA89F0362CF78C317DC71C70C,SHA256=C6845E9D9C565C4A7F2D1A2A64769A710CB7A865AF03494489DB1EAF769FEC7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.734{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.732{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.590{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000084039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.590{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000084038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.590{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000084037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.390{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.390{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.389{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.382{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000084033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.381{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000084032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.380{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000084031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.378{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000084030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.376{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000084029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.376{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000084028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.374{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.312{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.307{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.298{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:50.282{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000084110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.917{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=592D55545E3C5DC1F4481C3E4F3D5E1C,SHA256=7A8EA4FCAE7CB990D9C7CADE73DA59868E5778BEC71B4BF9229117AD5E0E790B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:51.149{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CC1593A35C8EEAA65DB4C9E729390A,SHA256=652504899FE18B463B27F96FF35C66EAE2C1F85CAAF510E6BCAF7820AC34BEB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.415{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\VerifyIdentity.exe2023-01-17 10:30:51.415 11241100x800000000000000084108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.415{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\svchosts.exe2023-01-17 10:30:51.415 11241100x800000000000000084107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.415{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\svchost.exe2023-01-17 10:30:51.415 11241100x800000000000000084106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.415{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\PowerPoint3to4.exe2023-01-17 10:30:51.415 11241100x800000000000000084105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.415{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\passwordstorageFix.exe2023-01-17 10:30:51.415 11241100x800000000000000084104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.399{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LB3_Rundll32.dll2023-01-17 10:30:51.399 11241100x800000000000000084103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.399{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LB3.exe2023-01-17 10:30:51.399 11241100x800000000000000084102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.399{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\googleDriveDesktopAlbum14.exe2023-01-17 10:30:51.399 11241100x800000000000000084101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.399{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\ConfirmEmail.exe2023-01-17 10:30:51.399 11241100x800000000000000084100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.399{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.exe2023-01-17 10:30:51.399 11241100x800000000000000084099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.399{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.dll2023-01-17 10:30:51.399 11241100x800000000000000084098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.399{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.exe2023-01-17 10:30:51.399 11241100x800000000000000084097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.384{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.dll2023-01-17 10:30:51.384 11241100x800000000000000084096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.384{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-svc-x86.exe2023-01-17 10:30:51.384 11241100x800000000000000084095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.384{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-svc-x64.exe2023-01-17 10:30:51.384 10341000x800000000000000084094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.384{F172AD64-6CE8-63C6-0D00-00000000B002}8922084C:\Windows\system32\svchost.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.335{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.335{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.333{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.316{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.307{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.304{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.283{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000084086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.278{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\WoundedGryphon.sh2023-01-17 10:30:51.277 11241100x800000000000000084085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.276{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteKey2023-01-17 10:30:51.276 11241100x800000000000000084084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.276{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteDecipher.sh2023-01-17 10:30:51.276 10341000x800000000000000084083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.276{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000084082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.273{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteCipher2023-01-17 10:30:51.273 11241100x800000000000000084081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.271{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\VerifyIdentity.zip2023-01-17 10:30:51.271 11241100x800000000000000084080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.270{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\READ_THIS.txt2023-01-17 10:30:51.270 11241100x800000000000000084079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.270{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\README.md2023-01-17 10:30:51.270 11241100x800000000000000084078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.269{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\RDP_MSP_INSTALL_SCRIPTS-AWESOME.txt2023-01-17 10:30:51.269 11241100x800000000000000084077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.269{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\ransom.html2023-01-17 10:30:51.269 11241100x800000000000000084076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.269{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\PlayServicesUpdate.apk2023-01-17 10:30:51.268 11241100x800000000000000084075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.268{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\output.pdf2023-01-17 10:30:51.268 11241100x800000000000000084074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.267{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\output.html2023-01-17 10:30:51.267 11241100x800000000000000084073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.267{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LICENSE-WhiteBox.txt2023-01-17 10:30:51.267 11241100x800000000000000084072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.266{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\hoax.txt2023-01-17 10:30:51.266 11241100x800000000000000084071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.266{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\desktop.ini2023-01-17 10:30:51.266 11241100x800000000000000084070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.265{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\decipher.sh2023-01-17 10:30:51.265 11241100x800000000000000084069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.265{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\cipher.sh2023-01-17 10:30:51.265 11241100x800000000000000084068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.264{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\bg.jpg2023-01-17 10:30:51.264 10341000x800000000000000084067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.264{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000084066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.264{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\anubis.sh2023-01-17 10:30:51.264 11241100x800000000000000084065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.263{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.py2023-01-17 10:30:51.263 11241100x800000000000000084064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.262{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.ps12023-01-17 10:30:51.262 11241100x800000000000000084063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.261{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.py2023-01-17 10:30:51.261 11241100x800000000000000084062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.260{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.ps12023-01-17 10:30:51.260 10341000x800000000000000084061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.260{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000084060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.259{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-thread-x86.bin2023-01-17 10:30:51.259 11241100x800000000000000084059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.258{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-thread-x64.bin2023-01-17 10:30:51.258 10341000x800000000000000084058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.258{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000084057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.257{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-process-x86.bin2023-01-17 10:30:51.257 11241100x800000000000000084056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.256{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-process-x64.bin2023-01-17 10:30:51.256 10341000x800000000000000084055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.256{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.253{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.251{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.249{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.248{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.245{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.244{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.084{F172AD64-7634-63C6-B901-00000000B002}49005000C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.084{F172AD64-7634-63C6-B901-00000000B002}49005000C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:51.084{F172AD64-7634-63C6-B901-00000000B002}49005000C:\Windows\Explorer.EXE{F172AD64-78D8-63C6-4802-00000000B002}6400C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000084045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:48.302{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49461-false10.0.1.12-8000- 11241100x800000000000000084114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:52.940{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000084113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:52.940{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=283BB75846312D27809A56F997F10BA6,SHA256=3C48A53ECB69DF9E64EE8EDA43AAA92C606026B9C9313CDA0445E9EDD942AF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:52.357{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D36BD9A9C1B549751B93F844E31A959,SHA256=17A66BDCEF5CD7E3AE911468DA75BF443BCDE4F71B4A64A9D98AF5FDB5E71AC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:52.001{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:52.001{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48E5B7335E1953290D560D070AE4FAA,SHA256=0751D7ADAAB245ACACD8AFD059E871D76DE42D89AA36FBA765B07E2CD6A9D686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.515{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.501{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 23542300x800000000000000068416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.489{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86023631BB8FB96E87B7EA94CF07540D,SHA256=D2257BDA2C755408AE5AD587C53730B5EF3F306B1B9261C1A87673F9524F29E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.469{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.459{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.456{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.407{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.391{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 11241100x800000000000000084118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:53.457{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-17 09:40:52.407 23542300x800000000000000084117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:53.457{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CA06E8D943FFD4D3B2FE935F5890029E,SHA256=2E4214A354E40F3F1DC630C233AB2F1FD849E131A85CCD308757771EDD961C64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:53.018{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:53.018{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23060E85A2FF302A3B395A668F604981,SHA256=26A44FC8D0270FE43A8BC3DAFE92FD6324D0346514D53B9AAB76ED616377F623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.361{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.350{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.342{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.329{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.326{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.323{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.320{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.315{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.312{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.303{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.254{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.252{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.226{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.210{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.159{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.150{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.139{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.114{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245600C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000129003D0) 10341000x800000000000000068383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.109{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000068382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.106{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000068381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000068380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.099{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000068379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:53.097{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 23542300x800000000000000068419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:54.743{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04595969FE4A75C989A4D34567B39F6,SHA256=A56C927C6D4455958666BDC335A40224BE1DBDD5083675CAFBA462357182BDA9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:54.110{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:54.110{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BE42DAA137174A9848E79C97D89A1F,SHA256=70BADD696128D3C19F436D9FED180FEA14FFDA12F11602C6E1490AED13EBA243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:55.849{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC6DDD6832A51E097B285CC7DD482A7,SHA256=E9AA97F2FF7F9D8DCCBF9B4E44989BA998DF02EB25E1F75A81413875EC5FED4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.992{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.992{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.992{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.992{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.992{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.990{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.990{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.990{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.990{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.988{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.988{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.424{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.355{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.324{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\chartv.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Chart ViewMicrosoft® Windows® Operating SystemMicrosoft Corporationchartv.dllMD5=A503F84DE81A3F559BB7620764EC843E,SHA256=E43FE5BAD0D27AD9A4F8387C6926C11EBCB895272AD45F7F3A1CCF221EC85EC4,IMPHASH=9F006C4CB45C8FA41AB914F6D399701DtrueMicrosoft WindowsValid 11241100x800000000000000084122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.309{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:55.309{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68766509E20D29F8CDF614220F9BD4C5,SHA256=21454780439E703EE4619725D3FBDC124509ADCBFFDB6911D6B634B5D90A0ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:56.942{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16415B7EB95E59767C7D14F2F41F62CC,SHA256=4518D631D06A7126D2F24945555EF33038513F66E348A3C52093E00EB366D767,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:56.428{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:56.428{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795207A8F079636C898B4CD04DC42BF4,SHA256=6F199C83B05AAA14036AD18C332EEDCFA215BB8C5CCEE006732C80CE818A6603,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:54.096{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50320-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000068424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:56.017{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:56.017{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:56.016{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620668C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:56.001{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:56.052{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads_lockbit_opendir.7zMD5=4CAAB749780365D44DFCB27299120ABB,SHA256=380343C599FB4A897FCCFA12EABBEBA47A1396B5DB682CB07F5B71352478D89C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:57.522{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:57.522{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B495B9A832061C0BBB6916251745070,SHA256=DE60DE5126C8B2A9BA482A84662369EB4C3EDB39F990EDE0855D1AFDC600736F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:57.004{F6EEFE7F-6CEF-63C6-0D00-00000000B102}7642800C:\Windows\system32\svchost.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000084140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:54.279{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49462-false10.0.1.12-8000- 11241100x800000000000000084144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:58.615{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:58.615{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FD2201B656E531EAE5D7A285B68D06,SHA256=2B9B418C13E69A5EBE289766785926C94017634116D19A248D45C55C945BE28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:58.027{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F03B404797BACC888038B5AFBC6BC26,SHA256=FF1E4F9F7F91C3A967B51D2ADF0F6C4A06B0F48B43DC6A4E1F49417F8F72031F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:59.708{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:59.708{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779B8B52E3F798E12C70AC87B5568DC6,SHA256=D99916F7B273F6E450DCEC922A6AEBD797AC7BF87A1CD074060E8028C352F70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:59.638{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:59.115{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F62B9F1F66ED58C6851CCD129DEF477,SHA256=FFCE131CF618D112121FB1452F4C61F6AD98F580EA95EF2E0D3F0A4FFE8341F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:00.802{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:00.802{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C6FFDF9A3E7FC64235C086390984E6,SHA256=E6E706B6DF73467E710B069533A0B5727D4B8C3A29D7D53ACF07E82097CE224F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:00.368{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=21109894057946E6898CB387E65A8568,SHA256=C959F394DD6CEEBB17873632E63FB9FE00F2F5FEE4C4FC213A6D411EF473593C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:00.194{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9060195147319B7B5C86A5985C32FB55,SHA256=843871066CE333D3BAD20311D6A75978DFE9E007109D989EAA976EA8F58BC9D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:01.883{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:01.883{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA333AB0755C24B88449A0F2771065,SHA256=1010EC74E6C0638C185EEC20795C6EC1E10B23175298837E4F893430CE14EF35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:59.611{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50322-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000068434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:30:59.123{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50321-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:01.273{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29122B9F62BBD0B68CFD16CBEF55CAC7,SHA256=90A8B3CD5A075685A02931EE07660799087A2D4C35FCDC4056019D6829F7715A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:30:59.356{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49463-false10.0.1.12-8000- 11241100x800000000000000084153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:02.978{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:02.978{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDD4AE0E444791FFDB73C75DF2F2EA9,SHA256=D50B8FDADCC98A8D8CE889C65E4C51FA731A9563BD820BAC8C3F69D43ED90358,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.920{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.920{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.920{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.920{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.920{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.918{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.918{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.917{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.915{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.914{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.913{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000068436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:02.366{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A2FE6308E2DBED4EDE0B845FF59926,SHA256=5E622D50A523D2E562922D67FFD5C046C4487D0C6A1E315EBDA6990FCC62482D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:03.570{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62D70D6347889140D7670532DC2FA9A,SHA256=5B40606F6C22A3E47FA768D38600921AC901A0A761BEECB55BEF0A7521F9B4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:04.763{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6BE406AA95A5F647943A41783FF625,SHA256=80660659ECAF8D9C31BCDF041A1966906FACF81F3459898F2A196F4251155293,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:04.067{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:04.067{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C72E638A712563295AE3B62EBE7F4FC,SHA256=07EBF9A20ED21CDF3D3271D9D312B4E151A12D0BF33BD18DE6C82DCC1A877987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:05.863{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F39F3891DDDA4D22E2B87D4DDA76AD2,SHA256=639F040AA6977005880FF90D364A457C6926B6670DC48E3324D369AF7AAB2111,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:05.158{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:05.158{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E5D4021EC346DB0536BECFED908428,SHA256=C36E21FB085BE6742D32ACBBEB65B6F2EB7907E079741F10C5BDAF8513761FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:06.952{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068739CC22A54D32603F7F9D43DFDFA8,SHA256=F82E56AF2ABE313C43B0380664AC5D31D2E9CED51807AB25291FB7EAB76BADDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:06.241{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:06.241{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2160331AD5B2738550D23B470F02C9FB,SHA256=A389574F10DD17FE37E2D4DB01BFC6F87FBC709821645DCE6422A78587DCA3E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:04.176{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50323-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000084162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:05.335{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49464-false10.0.1.12-8000- 11241100x800000000000000084161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:07.315{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:07.315{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E18FEA95808E4BA9005F3FCCF8EABFB,SHA256=B1AC5DA972E0F9A8B94ADA2904AE585E8518732E2362D3BA183C0279A42F08EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.384{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.384{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1986D871561D35D6F1B71A595BBE948,SHA256=82690B8DFEF56E259B32DFF05C550A3ACF6F2E8E3A8AF1BADA511C52904362D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:08.040{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CFDBE5A0360239FF81B2627F48E127,SHA256=F0FC81AF76E757F24846AC674126582BEB4590E12268496E18E0807390E537B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.166{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.162{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.158{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.155{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.154{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.149{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.145{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.144{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.142{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.137{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.127{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.122{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.116{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.109{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.100{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.068{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.057{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.052{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.045{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.038{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.006{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:08.003{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000084188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:09.485{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:09.485{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567F01DC15767174175A9CC7DA86CE0D,SHA256=1AE6F227334379A8DB7FF4C9684916D3FA4A72A138EF7A5BCDF9857A3D888113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:09.124{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D387320BA66064ABA3114B0820161154,SHA256=D8CA159CDE9268E9A5E548C7B246BC6F5419F0EAE891CBF300D2A1AE6BD00E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:10.224{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC4A6211D241B0D7E9F4D34BF2F26BD,SHA256=52C89043B3C1F1A659613543AE4A147E7ECBA7DF06233C91308B582A422BC791,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:10.589{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:10.588{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000084194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:10.551{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:10.551{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B746A7B5F5092313532F21FBF6B28E84,SHA256=C71D17C4F92F1750FA65FCD10CB0ED299AACA701F976EE2BC2D22D4780D7250F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:10.212{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:10.208{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:10.202{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:10.190{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 354300x800000000000000068457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:10.039{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50324-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:11.324{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE3A11CACA22DE048D357A4B6127D3D,SHA256=5FEDEFEBA9965E610695AE1201071266EF77CE783EF587EB200987E6A13B2DDE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.622{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.622{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B880239786A97128BD6EB2EBCE20A03D,SHA256=7ECF3771FD4F1C283CDDA539E85248216891496EE36008B164C2247AA913689B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.209{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.209{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.207{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.192{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.182{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.179{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.152{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.145{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.133{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.129{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.127{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.124{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.122{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.120{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.117{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.116{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.114{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000084197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.113{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000084218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:12.722{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:12.722{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D05F7EA379DBC36984F29C96777BBF,SHA256=1529AFC64D10CD27A00D17AF2FC99B0CD5FD4E86C8E16E286FA337E9EFBFC1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.423{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD6BC4918FF45157614D89B38DD12F2,SHA256=1C371AF71798C73E29C7594546D63E2647E11A7DA8870D23A87E6F3CC8D003DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78F0-63C6-4202-00000000B102}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-78F0-63C6-4202-00000000B102}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78F0-63C6-4202-00000000B102}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:12.377{F6EEFE7F-78F0-63C6-4202-00000000B102}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000084220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:13.808{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:13.808{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC9D94043805DF87E7291564D4782AF,SHA256=FFE929C12D89342E344B6A342C4060FDDAC29BF163D00993A9E7616EE22D3CCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.598{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.581{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.534{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.512{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.509{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 23542300x800000000000000068508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.488{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDB3CBF01D7D9704E427F011251BF27,SHA256=708D5C5D1B5DBEE159C876E6C56A7FD935EF3BC980468E7966DAA8F9569DE959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.484{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFFAF24C6B5752C597E89743D6188A7E,SHA256=7795666D3294E0CF647E2A60C3597FB47038A4383C7A64FD7893B17FB5C3DBBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.467{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.445{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.409{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.402{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.398{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.387{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.384{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.381{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.378{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.377{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.373{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.371{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.369{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.364{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.359{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.342{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.337{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.311{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.305{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 23542300x800000000000000068483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.257{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9BEC40B74A0BD4D9BF98FC2A1A339A81,SHA256=9CF286395727EDBB34C233E672285D3AE4ADA4AA62CAD0B419C6D8E40B81BBA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.203{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.195{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.187{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.166{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.153{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.145{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.122{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.096{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:13.094{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 11241100x800000000000000084222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:14.909{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:14.909{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2214D94B32C9BE5AD583D3B4090C668,SHA256=B16F2066B5B7E0460F541E1E3A307EAB5BD9D300C1B4C739D7C76BFD1B3082E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.538{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9241B1ED7567B55090B743A3A90BFCE4,SHA256=390FE89EE07CC2CDF96762007BCB05142DA8CFA15B48F7B672A248D18F895484,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78F2-63C6-4302-00000000B102}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-78F2-63C6-4302-00000000B102}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.337{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78F2-63C6-4302-00000000B102}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.338{F6EEFE7F-78F2-63C6-4302-00000000B102}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:14.027{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AB13F61D6933F9645A8524820E8C957E,SHA256=0A3A864C6FA1CDDFF4C81609B8ABD01185AFE93BED080D48FAEF41926DB0A47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.705{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF61A9E9ECCB7D5915F8798CEF8D2C1,SHA256=B51E94DD6CEFC730AE713A2EA447487760A2C26A3AB7FC50B36A0E7BA9A527DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:11.266{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49465-false10.0.1.12-8000- 10341000x800000000000000068542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.194{F6EEFE7F-78F3-63C6-4402-00000000B102}59766076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78F3-63C6-4402-00000000B102}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-78F3-63C6-4402-00000000B102}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78F3-63C6-4402-00000000B102}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.007{F6EEFE7F-78F3-63C6-4402-00000000B102}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.958{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-049MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.784{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1981DEA57F2925F5B899DE9962123A,SHA256=96EE53BA12382A165208FFDD17325D0F6C0B539BD6D634EFE5BB3CABECE71674,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:16.009{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:16.009{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919ED3C231D77A595CCB8BE7E6F99495,SHA256=AE8FB61147F6FC91B999A4086C3E2BDBED46F6234EB0662E29524F265D3CDEC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.437{F6EEFE7F-78F4-63C6-4502-00000000B102}49444416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.222{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:16.223{F6EEFE7F-78F4-63C6-4502-00000000B102}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000068601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:15.249{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50325-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.962{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78F5-63C6-4702-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-78F5-63C6-4702-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.900{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78F5-63C6-4702-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.901{F6EEFE7F-78F5-63C6-4702-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.883{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1FDFB919C2B8E6BE1B499F04E71956,SHA256=F5B86B6652957DB476AC0CDD7E75354E6E45209F2B1546C751DB5D430DF97960,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:17.106{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:17.106{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29523AAB391935BD6EE8FEE00E722D4D,SHA256=3543620DEEEAABDD359AD1FE79DA25349E39D2BC72B2BE817A1B77C9CC39E457,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.383{F6EEFE7F-78F5-63C6-4602-00000000B102}53326104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.361{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.361{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.361{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.360{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.360{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.360{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:17.211{F6EEFE7F-78F5-63C6-4602-00000000B102}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:18.992{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6317C428341CC633E5D3190D5FFE895A,SHA256=A4FF80FB09404CA10E1A1C3698049927697ADE1EC5D9C961D39BEC9676639398,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:18.198{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:18.198{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B757935744661D00D490FBFE3FC947,SHA256=048F1850BFDBE15FF8BA7020A48FF5575718DCA5454256BAD26F2471D9B9D716,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:18.197{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:31:18.196 10341000x800000000000000068602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:18.069{F6EEFE7F-78F5-63C6-4702-00000000B102}60964312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000084233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:19.284{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:19.284{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DF958C4435ACFB628742848C9CE381,SHA256=14C854804B276CF57237FEEE35312BE85EDB1511C7987BBFB06A8DE05178B765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-78F7-63C6-4802-00000000B102}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-78F7-63C6-4802-00000000B102}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.465{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-78F7-63C6-4802-00000000B102}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.466{F6EEFE7F-78F7-63C6-4802-00000000B102}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:19.008{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CEE08605A7BF6109DFE3568552C4A5B,SHA256=E3D1498E02A3DF87B7E920B5D546E2E93D0435E081083DA5AD1A2B1317EB4E99,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:16.326{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49466-false10.0.1.12-8000- 11241100x800000000000000084339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.909{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000084338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.909{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9936525B773A7436637CDF3BCA6DA7B2,SHA256=2D8E144556685BE70572024B3DC35F3738153727720E3429B442D59A8623D1EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.871{F172AD64-78F8-63C6-4A02-00000000B002}49161672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.871{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.870{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000084334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.855{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.854{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC42860FE8EF37E6E576B1355E816E0,SHA256=D913BEBB363929B4765E041DDE73B987BFB92EF90926F1CDFF175FFD15AEE53E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.710{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000084323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000084308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000084296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000084291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.694{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.695{F172AD64-78F8-63C6-4A02-00000000B002}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:20.093{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F201B41B4CC76E5452987192F0D76590,SHA256=E56FE28F4748F40FE20C47A8AD0450D3A6CAE7311B34620DE80B21DBC1F2F78F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.214{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000084283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.214{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.214{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000084281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.042{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.042{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.042{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.042{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.042{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.042{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.042{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.042{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000084249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000084245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000084240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.027{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.028{F172AD64-78F8-63C6-4902-00000000B002}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000084393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.955{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.955{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.955{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.955{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.955{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.955{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.955{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.955{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000084384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000084362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000084360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000084359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000084358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000084356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000084353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000084348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.939{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.940{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:21.186{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63D6AD484A27D5ADC87BAC67BE870C6,SHA256=8CDC750D4D38DFFBB99D2802C68B8121ADDFEFD4283A9AA28B02A8291062AF2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.128{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000084340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:21.128{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2784B66035F559C5573C834919FE347,SHA256=BD960C99764591E2A017F67C303FDD704954ABA451E5ACBCFD3BBA09702777AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:22.282{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C694C25D87371532F1156D8FCEB6CA00,SHA256=A8E496E1F450F0351CA6054A3A8E5CE51965D12E80B01C43657D4CD6C8A54EAA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:22.302{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:22.302{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9932BC11083E0889B1153AA6EBCF40B3,SHA256=C29DD9DDE477A3A06D7741553700A371962D0DCD86910880735C418A8CB53C33,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:22.124{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000084396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:22.120{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:22.119{F172AD64-78F9-63C6-4B02-00000000B002}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000084394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:22.033{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0C2D9EC8089F810C0A0AEF2C25A5CA92,SHA256=D396D5BC5042CB299F290C41E6828D53ED991A6BCFF9419F5C66E83B2705E5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:23.371{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F4DCDDB6A8130F70479AC3F17905BC,SHA256=5C32D9ACA68846B3B0B8592DBBBDDF5EC773597D97BBEB9B651613237DCDDE03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.989{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Temp\svchost.exe2023-01-17 10:31:23.988 10341000x800000000000000084410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.987{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.987{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.984{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.984{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000084406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.923{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-049MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.922{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0492023-01-17 10:31:23.922 11241100x800000000000000084404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.921{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0502023-01-17 10:31:23.921 354300x800000000000000084403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.747{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49467-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000084402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:20.746{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49467-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 11241100x800000000000000084401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.087{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:23.087{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CF5C6B6F937E21F715418741CB5A57,SHA256=D6517B08D198D4127B30EEAB064D6893314F119C612E14072459A1312020CB21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:21.178{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50326-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:24.467{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BCBEF157FD8CA565397429569D448F,SHA256=10ED405D501830CB4D9417FA657BEFC2331F0DAC3683CA87BF411BDC35AC13FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.923{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.562{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000084463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.562{F172AD64-78FC-63C6-4C02-00000000B002}43525960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.562{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.562{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000084460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.400{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.400{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.399{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.398{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.397{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.396{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.396{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.395{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000084425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000084420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.379{F172AD64-78FC-63C6-4C02-00000000B002}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000084413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.141{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:24.141{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB1347128504F7090B747851E9EC762,SHA256=740943DEDD43B861EE07DC82D060D194EC2B4532FF1A109E40EBABFF2A01E0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:25.562{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE150B0E985E90F9E70B0377D68CF528,SHA256=8D685B889CF3DBE5BB718F6810FDBE3166A852B4ACEDDA0ADBA0B51C40A04D94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:22.260{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49468-false10.0.1.12-8000- 734700x800000000000000084572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.888{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000084571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.888{F172AD64-78FD-63C6-4E02-00000000B002}57244340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.872{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.872{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000084568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.747{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.747{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.747{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.747{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.747{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.747{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.747{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.747{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000084533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000084532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000084527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.731{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.732{F172AD64-78FD-63C6-4E02-00000000B002}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000084520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.352{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.352{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A92A4FAFF0D54C8B0BD00D1FE52641,SHA256=6E28A957967F5B0C0842851E08D72E82CB8A75C1EF9E87C0E55AB9BEA8C631A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.348{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.348{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A506FAB07162304DEFE34C0F344808D7,SHA256=D35B356A24DBADFEA72411CC0902DBE0C0C5034DC9C1FBC26ED58A7BF2C5A52F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.220{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000084515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.220{F172AD64-78FD-63C6-4D02-00000000B002}62765748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.220{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.220{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000084512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.064{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.064{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.064{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.064{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.064{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.064{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.064{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.064{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000084477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000084472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.048{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:25.049{F172AD64-78FD-63C6-4D02-00000000B002}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000084628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.798{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000084627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.798{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=620860E394013AF22B4C342A03592F60,SHA256=0F9B9ECA1B6C15165776FFFF722590190C05BE2103984761A691FDF693171574,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.782{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000084625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.782{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.782{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000084623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.673{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.673{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F095617876A302962127AEB9B961D5,SHA256=20BAC473AA516A9A6896E0982CDDBD230ACC6464565C9296E174C12792E59244,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.626{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.626{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.626{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.626{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.626{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.626{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.626{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000084605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000084589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000084585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x800000000000000068625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:26.658{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2093435BDD3E96BDE7A801DCA87E317E,SHA256=970A2613F745DDCC7E8FE4B4DF6C959557F43E1025FBE6F400E758D25D8B1930,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000084580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:26.611{F172AD64-78FE-63C6-4F02-00000000B002}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:27.777{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5872AEC1A5E0BD6CB0EC577420A9B792,SHA256=758DE17E41D85E16C903B3AE09066072AB23D0C99B1E42ECC96DD34EA35F9CAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.998{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.995{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x800000000000000084642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.672{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.672{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFB479DC6C8318D2A6B01E4DF72D561,SHA256=17EDDB027E412B9FBA06713D9D767A13213F70B6A98F5CC9E42FC87206476429,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.172{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.172{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7768B62B44CFAE55B7A9FE4CB478BE9C,SHA256=E7AABD82C1C5B020EF7C089C0F06A0AEC60FBE3DDB462CC3DC00845E92A503A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.048{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.048{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.048{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.048{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.047{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.047{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.047{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.047{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.045{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:27.045{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000068627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:28.869{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD39DBAD50B2EBF250CE59A6FE5242B,SHA256=CCFFFA6ADD5599AB7AAAB891E6D7E2F8E2CCEEC5BBDDFAC5775E6B8774332D43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.740{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.740{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7862108C8576A0114FEB78B841FAE8,SHA256=85B214EA27A746F7B494034CA304B48815515E9C2E2C4DA86746DBB880DA2AFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.724{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.216{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.212{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.205{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.201{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.200{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.193{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.189{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.186{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.184{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.176{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.164{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.157{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.150{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.142{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.131{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.094{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.083{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.073{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.063{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.046{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x800000000000000084669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:29.828{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:29.828{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403CE634B646C53BE0642F47933F9546,SHA256=8BE80AB4DCC3CE9EB506E3234F16A6AEC092D9D1A323DF140519012C641B93B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:27.139{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50327-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:30.073{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BC2ED85B2FF2EBB3874C9D9538DEBB,SHA256=F5D3E292D96FCD7CAC651180FB0B46F084584F3B22E44762EF25082E1FC373AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.680{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.679{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000084715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.333{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\WoundedGryphon.shMD5=09ED9713D0AD02CA05A875AEA4A6FF4F,SHA256=228BC051198F43F2B8E36A1C3AC0A7BC3AE23ACBBFB0B880ECA1AD5FB587DB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.331{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\whiteKeyMD5=23291F3843D7E3CE826E6981633F6503,SHA256=4FAD89475ADEC4C4AFFBD65263916179977DD6E10D392F983A7FD67D9AE8A874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.324{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\whiteDecipher.shMD5=026C306DC7DBD2E2E6E99C8888A0770A,SHA256=7520B4CE69D904844BE34F7BB07BCDA49658147562B745CCA8CCCA51C4290FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.323{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\whiteCipherMD5=FEB6F25BC262A5FF98EA825799CE494C,SHA256=74E6B8B94892C9E21F3FD75FA4173FED16D9AA7ED6C8EE90306B118616F07A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.299{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\VerifyIdentity.zipMD5=1AE5E93068A9E333B11E20529979D4A3,SHA256=8035509D003A2CACEA942660D44F3E989F8B316380D5073597FB4270B5CF25C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.284{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\VerifyIdentity.exeMD5=B57CD4DA5AB3566177BD3B9FD8C306E3,SHA256=A063F9267414A21CF829526DC97C852417B0C373D8B411B67AA4202227011F57,IMPHASH=557851F516941D1F8C24A919BDE970CCtruetrue 10341000x800000000000000084709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.281{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.277{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.270{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.258{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000084705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.242{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\svchosts.exeMD5=63D533FB228E802C9C774EF75FF043FA,SHA256=240AC12F9C13EF1FDFBC77E16978F0423A41A3CC1C3DCB8786BA8E7672811F0B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 23542300x800000000000000084704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.242{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\svchost.exeMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744truetrue 23542300x800000000000000084703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.242{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\READ_THIS.txtMD5=E6E8C8822EC7D0F5FB9B3B75953B785E,SHA256=043D32878D17E4110B97E2106580193B1079C85D570E4625F1D86BA4F035D38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.242{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\README.mdMD5=8EE661573CCEA2898CB9B7612428D687,SHA256=201C73CF552851913DF1EFDF517F39B8FAB28F01649B2626E7E6DF7A72FA7E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.242{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\RDP_MSP_INSTALL_SCRIPTS-AWESOME.txtMD5=DB0632A1788BF0B4BA4FB381B186E3F0,SHA256=76C7A37AB465BA53FB735C0A6235269F24E76F9DC6BB53C06B091E21211F51A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.242{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\ransom.htmlMD5=67912031E5751A92113F2A00AB83ECA2,SHA256=116D5D8D6580D093E103FAD8EEE4614FE1A3BE6E371F0E6EA22496CFFB4E428D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.227{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\PowerPoint3to4.exeMD5=35560FFF8FC990948A9252BF20CFC8F5,SHA256=3E04FE9F427717CA17142603B46C5264FB42621048719721FFA4926C8E9BB6F1,IMPHASH=41FB8CB2943DF6DE998B35A9D28668E8truetrue 23542300x800000000000000084698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.227{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\PlayServicesUpdate.apkMD5=875773A09F5F4C09CC11E0FB7F1F49B7,SHA256=CB90976C01394BD91125C6764FC8FC19F8B5EF2B1422B641E2B4C68F6C91B984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.211{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\passwordstorageFix.exeMD5=B57CD4DA5AB3566177BD3B9FD8C306E3,SHA256=A063F9267414A21CF829526DC97C852417B0C373D8B411B67AA4202227011F57,IMPHASH=557851F516941D1F8C24A919BDE970CCtruetrue 23542300x800000000000000084696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.164{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\output.pdfMD5=D8D25CD8C77E628ADFAD6D14A41FB5CE,SHA256=4C7652C9DD8C773D6C3FB2FD3FF6374CEE6CC10F3647B3505DC41721ACF164A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.164{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\output.htmlMD5=D8B99D220F319B3D6D5E9EC40637A7FC,SHA256=B42D9D4562F7619D29378CF661784DA46F4AACAEF95F793D56F7BC6F9D2D8B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.164{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\LICENSE-WhiteBox.txtMD5=0DBE649720C003B15B8C288D4E5DC515,SHA256=0E9C1A8B6FD50923CE98941E77F47616F478B3C86BDC2E3F4389F626F55A5812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.164{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\LB3_Rundll32.dllMD5=8420A0F6F0FAC3A16D486123DFCE7C7C,SHA256=4EC749635F2FC719D569C97A868A071F486923F63ED71EECEC9FA0D62278BBCA,IMPHASH=B750C147C0BCC8B349E4F1143AC1432Etruetrue 23542300x800000000000000084692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.148{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\LB3.exeMD5=75256873A03F4A4BC073185F48C1097C,SHA256=068CA3E92C65EB907B5A34BE16580E267EFBBDE6F9129CA30AD80C948A1D3FFD,IMPHASH=41FB8CB2943DF6DE998B35A9D28668E8truetrue 23542300x800000000000000084691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.148{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\hoax.txtMD5=207CC613FB965F238D082DE5DECCA1F7,SHA256=CD47F0C7317A957EB802B7831CA0E6A7D285FE2E7275B656778F95089E97FEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.148{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\googleDriveDesktopAlbum14.exeMD5=B57CD4DA5AB3566177BD3B9FD8C306E3,SHA256=A063F9267414A21CF829526DC97C852417B0C373D8B411B67AA4202227011F57,IMPHASH=557851F516941D1F8C24A919BDE970CCtruetrue 23542300x800000000000000084689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.117{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\desktop.iniMD5=3A37312509712D4E12D27240137FF377,SHA256=B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.117{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\decipher.shMD5=AEA6CB605937BDADBD034047262E31F4,SHA256=05A626F4372D68783D12578727789F041E0857E07114FE0194B887582C0C3DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.117{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\ConfirmEmail.exeMD5=75256873A03F4A4BC073185F48C1097C,SHA256=068CA3E92C65EB907B5A34BE16580E267EFBBDE6F9129CA30AD80C948A1D3FFD,IMPHASH=41FB8CB2943DF6DE998B35A9D28668E8truetrue 23542300x800000000000000084686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.117{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\cipher.shMD5=B8D677801A1CF36DF3067D59C0708DED,SHA256=8B6B5BEB24609C35BBC4E34A9EA23D64BCA4EFF60B9CDD4ECE6502A1C8C6D55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.117{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\bg.jpgMD5=B5A22B24995B1485B7F8DB31E3F4E845,SHA256=857471CFA9010718B8612C5F8DA91B07452A91719667F1FE357255579621C89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.117{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\anubis.shMD5=8EBDBF116B8A8495613508197E877CA4,SHA256=FC1BB578C99F165E3EB8AC116B1ED42C60171EB83644104142C0294D915C856E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.117{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x86.pyMD5=1643CA1938B08BD33F9F1A3B6D01AF80,SHA256=89E93E9C2EF8B6E0B4154D818027D6D850507C62D4A677308EC1F3677EF5D935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.103{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x86.ps1MD5=54C88728BF357AFCC4D8B485C166B54C,SHA256=D8F94DD6D50EB4DD0528F3784883E20EB8499F5188E596DE217039A9DFF61E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.103{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x86.exeMD5=ECDA3174C7B7AC0596670CF184374B87,SHA256=91BD127FE5F8E96E424DC509A6910EDDE262142EEADD6BA9F316CB5BDE12221E,IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9truetrue 23542300x800000000000000084680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.103{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x86.dllMD5=8D72FC6FF9CB0971DF587D20DDA5E8C8,SHA256=0B7D19CF030839C3DF481069772C7A32B5A3BE4C41CE6B436AB69015FA90D98A,IMPHASH=E1DCFFDE169ED8B947DC63ACDB78AECAtruetrue 23542300x800000000000000084679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.103{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x64.pyMD5=5652592338DB9C578311BCD840B61A6F,SHA256=0C011BC812555A6868EDE5F189CB8C7A99C2C0BEAA7548A39A5E0162EF7DE251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.086{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x64.ps1MD5=4EBF3871BA1B7B1B821B211A34B5A7F6,SHA256=A55296309871408165C248CB6E5C88E84DA5682BDDDC5CCE220552660536D93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.086{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x64.exeMD5=4FCA0701B976C08A3A657A546BC82D7C,SHA256=F2093C8228896204C3403526C88FF3DDB4D9C7369A043EBB0B1A69B44CE63CD2,IMPHASH=17B461A082950FC6332228572138B80Ctruetrue 23542300x800000000000000084676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.086{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-x64.dllMD5=43616639411A590F022505998A6F567E,SHA256=6A289F491C8D5D789E31E89C73BA06EF6FC075458A1106B7213B29DA798F6C03,IMPHASH=F73CB1B8999C7E79C50459B8E1F144F0truetrue 23542300x800000000000000084675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.084{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-thread-x86.binMD5=95B4FEB185AF777C1BDD0812619C000C,SHA256=21BD99B20120DF1EFE5E1817403EE0173771643E2C4D91F5F2076787C3581627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.081{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-thread-x64.binMD5=9DC762D3FE1B459AFEE9DD840A4F3D70,SHA256=5B2D046064D85578ABC5E7FF686DB9E20B8008AA72BE99D10370551FE70D51B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.077{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-svc-x86.exeMD5=8FC088EEC229A693F2D754C67A2E506A,SHA256=DEEB89A16AA2B7B63504602DE422F508C196B8BE3289E57F3B9D74337D585425,IMPHASH=DE77F3139EAF74F1B255AB7BE0B6605Ftruetrue 23542300x800000000000000084672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.074{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-svc-x64.exeMD5=89BE3BE20CA0DCE73C12A5A015BCB9A5,SHA256=37E828DA01820AAD58414D0B73C935A0E408C274CDD872CBBAE25F9CBCBA0B08,IMPHASH=BED5688A4A2B5EA6984115B458755E90truetrue 23542300x800000000000000084671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.070{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-process-x86.binMD5=1123FDAA3AB9C341B986D57BD4B1844A,SHA256=72E686AC4559427CCB0302C638A88997B6A3E8895974C6E4648C27F69BBB0FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.065{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\Downloads\8082-process-x64.binMD5=5B10B59019C3DEF2540CA16DC1E1E456,SHA256=882EBE5138B2BA20DE111BF637DDFA1672A3C1CA756C8A5F962F11BDDDE10337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:31.173{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862527BB9574443C4644F4A2EC6F6E22,SHA256=C6AF4C0590BD53B9BF99E2C442E74AA80F3ACF68F2D2D63EFAEBEDE126CA1AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.280{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.280{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.278{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.265{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.255{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.252{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.225{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.218{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.205{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.201{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.198{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.196{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.193{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.191{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.189{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.188{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.186{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.185{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x800000000000000084722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.114{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.114{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BC9A01D0133CF09004A40C6412B1E1,SHA256=78854DD5F3920938DC88B9D4C1B7350B706FD554C639CF3BE9DA6598DC68E451,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:28.194{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49469-false10.0.1.12-8000- 11241100x800000000000000084719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.092{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x800000000000000084718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:31.091{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:32.271{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91758DBCF71FEB95D202725B2FB5C36,SHA256=DD96190AC3A627BAE7F5E1F2D6D58DBDFA08AF17A1EE4F74D31906BD42B58AB3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:32.187{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:32.187{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C66F4AC90855C95AE3537832EB603B,SHA256=D484D14F37076A68A0888A8B20A540BBA680CD3320C62513A40BB7733F6F60F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.629{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FEB8FF588665931E8F7D437312F4F2,SHA256=7D4BC96C4106920B0AE26F5F3D08036BE9D5ABC627DA5B479CC60D5273D23B37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.428{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.417{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.386{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.364{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.360{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.319{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 11241100x800000000000000084745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:33.285{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:33.285{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8FED4A96726F8A2B7DF5E9BDA60AD3,SHA256=BD70A25C9C77D57BD439B2D314A567CA41DDF54868964C9AF8C71BA9FED6E4D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.257{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.253{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.250{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.241{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.237{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.231{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.229{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.217{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.206{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.168{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.159{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.152{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.131{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.125{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.111{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.097{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.095{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 354300x800000000000000084743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:30.203{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49470-false10.0.1.12-8089- 23542300x800000000000000068672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:34.339{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811A9BC2FA5828A3819E5ADB8D6E0D20,SHA256=66DE017DEC2E2BB66CF1C4FE73BE10F6E2C1E3FC7EC688ACD813C3DB9F56CDA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:34.386{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:34.386{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BB8E1270560B32C7C9EEC8A822861,SHA256=5EA8A0724A6BDCBD8A487B6FFA446BF7893FC0F6595E4C8E73C89EC731E66922,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:35.464{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:35.464{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFAE8BD7F897F05993B1D01EF4C670F,SHA256=CEF2B15068DDB7DF9B5D2D36A8DEF0366D9C55B5AB4F9B5140C30A5B1D41BC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:35.426{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FDBA561CF79FF8B34E5E7913C06BB1,SHA256=C31D1D6C47E8C8557EBE2F781951274C7AA13FFF09646487B83043D9BC51A3CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:33.124{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50328-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000084751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:36.561{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:36.561{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C945E33134B7CF86A488782CF93602B8,SHA256=380351130327E2614CBE82AFAE0F702A2619BF2D7808FD3D8E5A7578925C5855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:36.407{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797516EF046B94299CB5B3F75004FA73,SHA256=667DC93F8940977048C355481E783CAA5D4F4A9BB4DCE8566C301424171A5476,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:37.658{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:37.658{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EE1F98C6E873882AF25308E5509CA4,SHA256=5D7E5FA483C952D4923AF2226A52438AF1DCCD25DBA9A9FDCF010F7237FCF91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:37.506{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDED88983AA84C7C0FA34DF06713AB6C,SHA256=9950006B7876FCD58350C72A02EDE2D6ABB4DF0081AEA76E88F14DFE73FC9C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:34.938{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local138netbios-dgm 354300x800000000000000084753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:34.938{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x800000000000000084752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:34.199{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49471-false10.0.1.12-8000- 23542300x800000000000000068709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.756{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C9B252F7BC970EC3B33C795DB063F9,SHA256=7B6A1A225278E1B02D4A928DB882692456011721798C089387C936B6FC56862E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:38.745{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:38.745{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B26228DB4F9A5C201C3458A7411A18,SHA256=F131F0ADA662C932DF05CD4F75191B1E159620DBB2F09A6B738B5E0499D2D4A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:38.023{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000068710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:39.933{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2524967F8361EADCFC60549B3013D059,SHA256=4C5CAF54B2373C566E8E15A9DC615094133F5CE6100A731C3375628E2DAEEEA7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:39.839{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:39.839{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EFFDBF7C6C8144D795F3D35988C358,SHA256=DBB76685DB3CEEA29B4DAF1D7DACFC7E74078FC80F4870836C7EE0D4D1CCCD86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:40.935{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:40.935{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280D41691ED55656F0EF2F2308757650,SHA256=D1A06D66DE639A103968F82C751279D98E32A73B22EBD9E69FB8CA704CDBB6BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:39.045{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50329-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:41.132{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59804219DB659DCBFF383399BB2EB534,SHA256=31C551AD9AEA9797CA40BFA788BDEA5D09EF931C46008E8CDFEDA7F632B81662,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:39.215{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49472-false10.0.1.12-8000- 23542300x800000000000000068713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:42.230{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16D5B78E3999A65CB5D44CB8EC44834,SHA256=0E929C1DB85958F506C583C6EDBB11CCF078E2A2CDC8C5BF90354BED223300AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:42.025{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:42.025{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E3C8DAF92483FA0DEF26FBDF7877DE,SHA256=5922C2445DAF0A30ACA86668375BB2ED7E7989C8877EEFA6D5E01299761FC51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:43.324{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E449B1D4BB7F1C9096543F044557CF6,SHA256=6AED51B8E9D189BFB5E7F8C44A7ED2FA2931EFC7A1AD9BE04FC0824201710548,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:43.121{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:43.121{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4440E26CDDA9EAD2D30C089460B7859A,SHA256=13DF1EA9105ECA5A20178ED1DC6E6A754E5179419E6966B183A1EE678343FC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:44.421{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7958BFBE339F38CE297A7B807627D00,SHA256=CCE70CBD8ADF8B48207AF5F08AE0417C5E442D3796BAB3A9E5477B9FF4642E4B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:44.317{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:44.317{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E7F9A2E53EFA4A43DA2A189943D212,SHA256=575DDF344431AC7B1AE811879938779803BA657D7B7B3D036B46D4A6036D92C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:44.217{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=709120FE34FE4E68B43853263D8D3B05,SHA256=1D21922CA100EDBD944B97D786E8451626AFA576B027857EEF25352A616A9C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:45.631{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BEAE3F9581AC4BA1966672BAD48898,SHA256=350C1027F0226F90B8D4B223C91BB21644CC848B4DC535ED74A1058832309E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:44.177{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50330-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000084771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:45.417{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:45.417{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3D48986696E20DDDFAD15083980FF8,SHA256=586BE61DF30F9B917024FBD56BE45D4ED28406D9D015E9B2901EA63EC1CB9509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:46.727{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54226BC60BDDEBCAE38765B2BD04A4FC,SHA256=9023E231B64C400AEA7E83B9D5EEFFD91C8AEC97938BEA9E2F1663FC19AB21AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:46.511{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:46.511{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3CB36ED4CA373EC8D48052B1F193EA,SHA256=F5CF86FA8ACEC4D18DC99EC91ADF4144707707EC107B77A20DEFBB18C51BF73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:47.822{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61FD6FA8707FD6C617F7BDD03E386E0,SHA256=A6C42574DA7965C1819C4271981B8F465F11343E739213DEB4CC0931A811B163,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:47.602{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:47.601{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF976731773C9D339537C0E3191B5E9C,SHA256=EFE23CEE3C3AC83D0DF312C86B27AF368819A07F896F2FB175FE18AD7705EC61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:45.466{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:241d:1a31:f5ff:fef0win-host-ctus-attack-range-245546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x800000000000000084774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:45.221{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49473-false10.0.1.12-8000- 11241100x800000000000000084801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.780{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.780{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5565B9033695B2AE5C9A31D0373BE218,SHA256=099960FFC1BD27ABA0DAB1AD0894301D51CD829EF6221C2A069343D60AEA4E7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.241{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.238{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.232{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.230{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.228{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.222{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.217{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.215{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.213{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.206{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.196{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 11241100x800000000000000084788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.195{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:31:48.195 10341000x800000000000000084787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.189{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.178{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.168{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.158{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.126{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.117{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.109{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.094{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.079{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.037{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000084777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:48.034{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 11241100x800000000000000084803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:49.969{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:49.969{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475E4B6487E7703AEAA67AE151DE46F5,SHA256=06434714C4B4FB596CD1A081A7DEBEF3EB7D5D64994596CA8B9A2F84F8E65C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:49.140{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C901110684C07FB3670A8FF53CFC0F,SHA256=4386FED19188C5A86E68B2D8713BBB4AA54F528BFE95ABD4BE435675DF7ECE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:50.340{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFE252E90C2298E04BA59BA0A370D3E,SHA256=CDAE15467B8758FBA7955EAA8E8B9B0C931A733AC9BD1F11703A4CD8D8A2574B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.920{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.919{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 734700x800000000000000084814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.384{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000084813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.382{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000084812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.380{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000084811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.379{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000084810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.378{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000084809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.377{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000084808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.375{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.293{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.289{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.282{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.266{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 354300x800000000000000068725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:50.127{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50331-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:51.435{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C7270F8599CBD1DCD079D37FA7B656,SHA256=AC418324F53104CDA5458CDCB4E13AE0F7CF57B1E18C8339C7CDD2FA1E3D0309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.528{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.528{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.526{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.512{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.503{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.500{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.473{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.467{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.454{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.450{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.448{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.446{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.443{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.440{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.437{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.436{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.434{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000084819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.433{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 11241100x800000000000000084818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.116{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:51.116{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF29E1C73E3EACAF640930C101FE2A0,SHA256=4996CE41DC2B2F0404396DB75E84BA70E141F409D9F7EAD270F9DC70D9C8CE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:52.523{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED230485FB8D5685C9ACF6C86A190F1,SHA256=565EB126F2E85E2F2426ADDA5388181D405CB39C7E75234C084B372391565D64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:50.320{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49474-false10.0.1.12-8000- 11241100x800000000000000084839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:52.301{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:52.301{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A0D6A379913ED115AE4D155F026335,SHA256=45C2A2F79720CDCD22CE709339B640CED50403772542692A0C01E569D3B674B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:52.129{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2B889898949A9E14F036B7F93C2FF4CE,SHA256=E5D0211382C4195A31B325FD0A99612DF760D4010D9DCB27407174B201273780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.875{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB19991DC1622B7A8CBFB06CB5C393D,SHA256=282B600D36BFF7A17D6B14906F8FC511277589F518C70951218AB0C64A155425,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:53.465{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-17 09:39:52.340 23542300x800000000000000084843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:53.465{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2197AA4B86FA125DF28B09A47E833F31,SHA256=1BB461A0F58396CDCA276BF3568C5796A5730011BB23A4603C2804B9395257DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:53.403{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:53.403{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADCA643CB022CEC3659DF4BF9C109E4,SHA256=4D9C4D41549390017EB16E6997180027AC97FBFBC101A94D1B795A1F154A25A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.395{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.385{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.362{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.354{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.352{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.328{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.321{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.305{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.275{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.273{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.270{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.267{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.263{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.256{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.250{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.243{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.241{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.225{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.217{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.191{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.184{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.177{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.170{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.163{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.156{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.148{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.140{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.112{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000068727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:53.109{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 11241100x800000000000000084846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:54.517{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:54.517{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BA0FEAFF360CA63640E4FC26FA334A,SHA256=E109ECE04C4F9D5DF2A5AC16D8C74AA9B0702DB7C3CDB88E455201687D323AC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.981{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.981{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.979{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.979{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.970{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.970{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000084885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.970{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000084884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.901{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000084883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.901{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000084882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000084881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000084873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.885{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x800000000000000084872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000084868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x800000000000000084867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x800000000000000084864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Temp\svchost.exe0.0.0.0 --svchost.exeMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 734700x800000000000000084863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x800000000000000084862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.870{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x800000000000000084861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\devrtl.dll10.0.14393.0 (rs1_release.160715-1616)Device Management Run Time LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationDEVRTL.DLLMD5=103D84E49F517098C0E8E14044BB1F73,SHA256=370BAADCA5D39C94A532D2E80EBA6CA537B47E41038A332412AEE4BBA5F025B9,IMPHASH=5DE6FAFA9C141BF53E629553C4AB42FBtrueMicrosoft WindowsValid 734700x800000000000000084860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000084859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000084858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDBSetValue2023-01-17 10:31:55.854{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\svchost.exeBinary Data 10341000x800000000000000084857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-6CE8-63C6-1300-00000000B002}6802916C:\Windows\System32\svchost.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-6CE8-63C6-1300-00000000B002}6802916C:\Windows\System32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-7634-63C6-B901-00000000B002}49006812C:\Windows\Explorer.EXE{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.854{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0.0.0.0 --svchost.exe"C:\Temp\svchost.exe" C:\Temp\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 11241100x800000000000000084848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.620{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:55.620{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1B3045B8952B09E8C7196AE2B894EB,SHA256=BB069E3CE30F70B49EBEDD6184CFD977C43E994E61067E9C4F59666C25B9577E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:55.012{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988331624F142DC016ADC9830FD39E17,SHA256=6391DA2A0195EFD8CACAF76EE26C9FC301335ADC1AAA3E977E6055EC38DC8213,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.951{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000084919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.951{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B59FEFB2C58018BD4D85515F17062808,SHA256=B126D288B2A85BF7154F925134ED2C5AB469D45062E8C73078B7C87A3946C49B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.639{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.639{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E98069DE4138401CE64A19BD762AA7,SHA256=4E2E83C6CDA3CD036B607EACEF84428CE718D265C3DD532AAC378E619E3E3B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:56.098{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E75F55E94DDC29FEA5BA0E75447F2D,SHA256=BDE053502CED281159CC1FEB12CCF17D9C325A3B3C4FB447AB691DE2C578706A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000084916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.436{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.436{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB386CFDFC3927590A34BAD5B54E64E,SHA256=91E05A02BB177B4670262D734B199514BC889ED1A443D28183E1624ABF65EE29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.374{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.374{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.374{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.374{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.358{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.357{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.341{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.341{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.325{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.325{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.325{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.325{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000084902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.325{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll4.8.4545.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000084901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.216{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 734700x800000000000000084900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.216{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.200{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=06E661551B61E29907B1CF0D4EBB955B,SHA256=E62035FBB0E5259597695708F9B10FDD5D5FF5459D659EAB880FA265E8E8DF2E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000084898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.060{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000084897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.060{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=68A3AFFC2DBE4F4A2D415E22A1AF3BD4,SHA256=1C3D08DD8717AC890AA955FE7811D73DF547E8C9B1B1156B9F9CA91A0DECC455,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.024{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.013{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x800000000000000084894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.008{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x800000000000000084893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.003{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x800000000000000084892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.002{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 10341000x800000000000000068771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:56.015{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:56.015{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:56.015{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620668C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:56.001{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.873{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000084957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.873{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000084956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.873{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000084955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.685{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.670{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.654{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.639{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.623{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.607{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.607{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.607{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.607{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.592{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.592{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.592{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.576{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.560{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.560{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.514{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.482{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.482{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.482{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.451{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.420{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.404{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.389{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.374{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.358{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.325{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.232{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.216{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.216{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.216{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.185{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.185{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.107{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.091{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:57.075{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 354300x800000000000000068774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:56.074{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50332-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:57.191{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B1444292DA4F7BF6E9740750132492,SHA256=2E5A48FBBDFD3234891671C07DA98FA16A6A2233EE31E4A152E02E46B685DFCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.907{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.907{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BF5B6227A647F8892C180112F195DA,SHA256=054EE38E61A5427A262BA41E15794F81813DFD0C17447FA008F7D97E4AD3C3D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.814{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.814{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.798{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.798{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.782{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.782{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.782{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000068775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:58.385{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57D44408F224E26E9B12B857CA672E6,SHA256=ACECBA863C39A9D2C62B9266D71A792EFC586994DAB7C04160C6C59FD79D0023,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000085026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll4.8.4545.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 734700x800000000000000085024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.767{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000085023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=06E661551B61E29907B1CF0D4EBB955B,SHA256=E62035FBB0E5259597695708F9B10FDD5D5FF5459D659EAB880FA265E8E8DF2E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000085022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x800000000000000085021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x800000000000000085020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x800000000000000085019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 734700x800000000000000085018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000085017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000085015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000085007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x800000000000000085006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000085002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.751{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x800000000000000085001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000084999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x800000000000000084998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exeMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x800000000000000084996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-791B-63C6-5002-00000000B002}42686112C:\Temp\svchost.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 11241100x800000000000000084990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 154100x800000000000000084989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.744{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe"C:\Temp\svchost.exe" 10341000x800000000000000084988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2F83E4F4ED66764E4F181873690C6B,SHA256=8EC0AC05626D3B0AC67020D717815BCF742AA2404E6BD53A53D93F24E9E2C576,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000084985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.735{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x800000000000000084984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.720{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.720{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.720{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000084981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.720{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 10341000x800000000000000084980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.704{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.704{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x800000000000000084978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.689{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000084977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.689{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.689{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.689{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000084974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.689{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000084973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.689{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 11241100x800000000000000084972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.689{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Users\Administrator\AppData\Roaming\svchost.exe2023-01-17 10:31:58.689 734700x800000000000000084971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.673{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000084970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.673{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000084969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.673{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000084968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.673{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000084967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.673{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000084966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.673{F172AD64-791B-63C6-5002-00000000B002}4268C:\Temp\svchost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 354300x800000000000000084965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:56.248{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49475-false10.0.1.12-8000- 10341000x800000000000000084964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.626{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.626{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.626{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 10341000x800000000000000084961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.470{F172AD64-791B-63C6-5002-00000000B002}42685844C:\Temp\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BD20C3) 11241100x800000000000000084960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.141{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000084959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:58.141{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6323E205B96EE907FADF9451E04F438,SHA256=2BB17569F8956AF313A70878D6346673056EEE8567ADD47C254BFB9D67B661CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.843{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.828{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.828{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 11241100x800000000000000085081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.812{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.812{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE592D8B880FBD005500B64AB0B962BE,SHA256=9F74AA76B0DE547E7F3D39ED8BD9F47AADAE9A0A896D70D65D69FF3315F46A75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.797{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.781{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.781{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.765{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.765{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.765{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.750{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.750{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.750{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.734{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.718{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.718{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 23542300x800000000000000068777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:59.670{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:59.482{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402BD8CA7AF437C4FEDFDF82EFBB1285,SHA256=C5C0E25842A8396CA5EE0DED8D5EBA2AAE38BFCD1528EE7A9B15CAB7B87A53BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.672{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.640{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.640{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.640{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.609{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.593{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.578{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.562{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.547{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.531{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.500{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.406{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.406{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.406{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.390{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.375{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.360{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.296{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.280{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.265{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.046{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.046{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.046{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.043{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.043{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:31:59.043{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000068779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:00.581{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DC5D8B0E85725213635D46A50C2935,SHA256=172357807A7C33779E8A1E2D7A41625448C34A626C7010E1ABD88EB8C4D4E2A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.981{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Contacts\read_it.txt2023-01-17 10:32:00.981 11241100x800000000000000085116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.981{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Contacts\desktop.ini2023-01-16 12:49:00.671 23542300x800000000000000085115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.981{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Contacts\desktop.iniMD5=449F2E76E519890A212814D96CE67D64,SHA256=48A6703A09F1197EE85208D5821032B77D20B3368C6B4DE890C44FB482149CF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.967{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Links\Downloads.lnk2023-01-16 12:49:00.623 23542300x800000000000000085113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.967{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Links\Downloads.lnkMD5=2C62C208EC5E695682CF26D50EDD763C,SHA256=A533F0843F44A5C3E3363277F59EBA8F0CD4F5FFA388CD22460E6AE788BAA699,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.950{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Links\Desktop.lnk2023-01-16 12:49:00.623 23542300x800000000000000085111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.950{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Links\Desktop.lnkMD5=F8B5DC2999F13FE4E11D1AACBC3BF68C,SHA256=F0BA4A53F1339134E8331BD4157A9B3CE2D6933B3DFAE488E340ABEBD25519F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.934{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Links\read_it.txt2023-01-17 10:32:00.934 11241100x800000000000000085109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.934{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Links\desktop.ini2023-01-16 12:49:00.623 23542300x800000000000000085108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.934{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Links\desktop.iniMD5=3B960DA228CC489B622697659C885D64,SHA256=A4234E2CF44C57609FD7CB0F9F0A33EE136B542FBA5121AC02D85B38FB2EA02D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.919{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Desktop\read_it.txt2023-01-17 10:32:00.919 11241100x800000000000000085106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.919{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Desktop\desktop.ini2023-01-16 12:49:00.655 23542300x800000000000000085105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.919{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Desktop\desktop.iniMD5=9E36CC3537EE9EE1E3B10FA4E761045B,SHA256=4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.903{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000085103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.903{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000085102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.903{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000085101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.903{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 11241100x800000000000000085100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.888{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url2023-01-17 10:32:00.888 734700x800000000000000085099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.888{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000085098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.888{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.888{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000085096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.888{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000085095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.888{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000085094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.888{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 11241100x800000000000000085093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.873{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.873{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCE51007BFCC5D01D76ED5F433D1E12,SHA256=7FF3211C76043083CF71D8A859C1F556A8965C40F06D535BA40990D157BE16CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.846{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.842{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.840{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.840{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.840{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.840{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 10341000x800000000000000085085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.667{F172AD64-791E-63C6-5102-00000000B002}48486428C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFF75BB20C3) 23542300x800000000000000068778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:00.370{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BFF9B4A1328640F3FF7A6634A0499396,SHA256=BC83052F3915DE1C7113E78BF405EC52BC3E4BE96F7BA754A08EF04340F340FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:01.672{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BF80E808D3898E2051496D0F544241,SHA256=B59907DAB46C294298DCE649F84C926F06DCA0EE85AB9388A344913542A1C11C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.990{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk2023-01-16 12:49:00.671 23542300x800000000000000085303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.990{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnkMD5=07A234DD7152D3A096813CF7EEC2716F,SHA256=C6AE4FD41FA3A3321A0A1E1C45F35CB9121D5DFCD88C93D07E5D2C7DE2D8114A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.975{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk2023-01-16 12:49:00.671 23542300x800000000000000085301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.975{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnkMD5=7B782D03F87EFE67699E7A86CF26D760,SHA256=8F2C27FBA5A387688E364741253CDBD70603CDABA50943F0B7F502C75D62DA2D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.959{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk2023-01-16 12:49:00.686 23542300x800000000000000085299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.959{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnkMD5=510E4FA844BB11EA3F8D72C1139DFEF3,SHA256=1F55B99FAB1718B049EF364D6F08C75AECEFBC4AFA09CDE338F324532F8FACCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.943{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\read_it.txt2023-01-17 10:32:01.943 11241100x800000000000000085297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.943{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini2023-01-16 12:49:00.686 23542300x800000000000000085296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.943{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.iniMD5=3AA1D8D650944F797F80D23D67A2F335,SHA256=051EAC875E4DCC20F0C7DCE3ED02A9FDD347F554550774EF7EC827248B4CE1E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.928{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk2023-01-16 12:49:00.686 23542300x800000000000000085294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.928{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnkMD5=092714663B52A05A502064C0B0D8BF63,SHA256=4CBF03BB0C332DAFDAA3E6BCC6D5A124F9F85ED1FED01D98F95EC2366C5B6C6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.912{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk2023-01-16 12:49:00.686 23542300x800000000000000085292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.912{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.896{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.896{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BEFBC34966C5056DDE2533E9D3EF59,SHA256=5C313C5CE1FF856E96D6996025BCCCC9243C5991F01E3C83FE1DA0657441510E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.896{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Devices.lnk2023-01-16 12:49:00.702 23542300x800000000000000085288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.896{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Devices.lnkMD5=E60A7E278BC694076661117BB4B248F1,SHA256=BEC21DD34FCD51950D626F0666A31B924E177A55151E8BC2BC5E195013D7CFDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.881{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini2023-01-16 12:49:00.718 23542300x800000000000000085286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.881{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.iniMD5=9E99BA5EFB1439677D639C9DF7A49DEE,SHA256=E82D3C52740AC98C944882F75C2F217733D8E8296D7E12F21D535DDBBD9AFF5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.865{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Default Apps.lnk2023-01-16 12:49:00.718 23542300x800000000000000085284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.865{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Default Apps.lnkMD5=541E2634F626B4215659A5A276F962FD,SHA256=DE9CA038478523D68236080DA9AD498701D57D4B744E13ED6F9C03E765859805,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.850{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk2023-01-16 12:49:00.734 23542300x800000000000000085282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.850{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnkMD5=1D89A7F7F66D683C95D8EEC0AF1E82C3,SHA256=3BF1D7428EBE4FE2D8F38D4779F96E9AA20D1D70BFC60EF330B00428012D309D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.834{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk2023-01-16 12:49:00.749 23542300x800000000000000085280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.834{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnkMD5=6B9C9C4C85FCA5D45F285D888F02B232,SHA256=4D51B22D4A3C4CF81C0043D7C4C2996C1A39548C7BC9E3F1DAE56DD17C062D22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.818{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk2023-01-16 12:49:00.749 23542300x800000000000000085278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.818{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnkMD5=9C82E435DB86860EDB5CED5F369BDFB3,SHA256=23DB6DD5BB4644850D5AFE83F1126D582238162AB480479FB12A6B9998A82511,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.818{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.818{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069F9AB748C5CF43F91FFD8B5E5D986A,SHA256=777F069F997996FF0C61EB8FE8A91A17D233515BAB45A37275699A61036ADFDA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.803{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\read_it.txt2023-01-17 10:32:01.803 11241100x800000000000000085274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.803{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk2023-01-16 12:49:00.749 23542300x800000000000000085273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.803{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnkMD5=FE93D384CD49C6B66F9D1FA67B1C6A16,SHA256=6294EDC7ED986CECE4ED66F5EF873AED771A54DEDFB65A9BE66D004B9279F116,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.787{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt2023-01-17 10:32:01.787 11241100x800000000000000085271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.787{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini2023-01-16 12:49:00.765 23542300x800000000000000085270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.787{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.iniMD5=7F1698BAB066B764A314A589D338DAAE,SHA256=CDB11958506A5BA5478E22ED472FA3AE422FE9916D674F290207E1FC29AE5A76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.771{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\read_it.txt2023-01-17 10:32:01.771 11241100x800000000000000085268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.771{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini2023-01-16 12:49:00.765 23542300x800000000000000085267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.771{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.iniMD5=CAC4D0F604168B35338F40B0FE08C453,SHA256=8D1EDA3F60FDB808BB783045C7295EF4ECA5192136160F6C46A919E9E53E92E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.756{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\read_it.txt2023-01-17 10:32:01.756 11241100x800000000000000085265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.756{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini2023-01-16 12:49:00.781 23542300x800000000000000085264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.756{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.iniMD5=548B310FBC7A26D0B9DA3A9F2D604A0C,SHA256=BE49AFF1E82FDDFC2AB9DFFFCB7E7BE100800E3653FD1D12B6F8FA6A0957FCAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.740{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk2023-01-16 12:49:00.781 23542300x800000000000000085262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.740{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnkMD5=EE27DB3652032A3498C54A12407B0CB5,SHA256=5E7A26E2D64F644E159A6BD5BCEB5736C5C71FEFE3D648425338B22DC840CBC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.725{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk2023-01-16 12:49:00.781 23542300x800000000000000085260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.725{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnkMD5=E80299553C7C86D6CB4B9FDB9146850F,SHA256=E3F290FF167E0B22C2EAFC8081068375AE963B7E277043BA047FE7DB9DD8BCA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.709{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\read_it.txt2023-01-17 10:32:01.709 11241100x800000000000000085258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.709{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini2023-01-16 12:49:00.781 23542300x800000000000000085257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.709{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.iniMD5=3A2D5E6CEEB1BFC64E8B7FE7C1697BB6,SHA256=0B4987D67F591D62F09BCEEF32299562ACF224E9ECC59A6EBAC45B6CF23D895F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.693{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk2023-01-16 12:49:00.781 23542300x800000000000000085255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.693{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnkMD5=96D2182F306AD9DEF78A9ED022F0E3A2,SHA256=0A14336150D8750543E072700586D2ACEF25562F26A8D6BA0E17313E3F743097,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.678{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk2023-01-16 12:49:00.781 23542300x800000000000000085253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.678{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnkMD5=C740E5FB2FA17A182AC411982216C9B9,SHA256=866F8C3DC8FD95DEF902CC315CA055E796BE1C2819B1A9586A2D390F690F7B18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.662{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk2023-01-16 12:49:00.797 23542300x800000000000000085251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.662{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnkMD5=C83CBD5F97A8E7B3D2E16D3A8B539E8F,SHA256=28E66BF0D21FCE9B1B78BFE8ABA00BCB47E2FB8A9EF903130AB914F971BE98A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.647{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\read_it.txt2023-01-17 10:32:01.647 11241100x800000000000000085249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.647{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini2023-01-16 12:49:00.812 23542300x800000000000000085248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.647{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.iniMD5=D69BA89AE591A62E758F84E1A06DDA6C,SHA256=BE3B457C123FD5B98BEF1C6224CEFDC3EA84E0DEADF3B92740929A8A19476602,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.631{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\read_it.txt2023-01-17 10:32:01.631 11241100x800000000000000085246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.631{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini2023-01-16 12:49:00.765 23542300x800000000000000085245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.631{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.iniMD5=17D5D0735DEAA1FB4B41A7C406763C0A,SHA256=768B6FDE6149D9EBBED1E339A72E8CC8C535E5C61D7C82752F7DFF50923B7AED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.615{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\read_it.txt2023-01-17 10:32:01.615 11241100x800000000000000085243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.615{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini2023-01-16 12:49:00.828 23542300x800000000000000085242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.615{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniMD5=A2D31A04BC38EEAC22FCA3E30508BA47,SHA256=8E00A24AE458EFFE00A55344F7F34189B4594613284745FF7D406856A196C531,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.600{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini2023-01-16 12:49:00.828 23542300x800000000000000085240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.600{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.iniMD5=E5DD8495A100A9AA69637A23F1AEAE2E,SHA256=E6B8D4B42513796767B593A7C0C1CD2CC959082BA63BAEEF4D0F4F4D45F99ADE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.584{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\read_it.txt2023-01-17 10:32:01.584 11241100x800000000000000085238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.584{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK2023-01-16 12:49:00.844 23542300x800000000000000085237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.584{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNKMD5=B5C9338E8469CED1269945DE17CF9E5F,SHA256=DD1A009015FB7F95CA2AC829347166A727F043C4DDC5ABCD7B48BBC428C2CBD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.568{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\WindowsUpdate.lnk2023-01-16 12:49:00.844 23542300x800000000000000085235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.568{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\WindowsUpdate.lnkMD5=9C48588E680744B87118D82A37A75FD4,SHA256=BEBE6EF7D3CABB653C2E96D574ECD56893E1BA005A3144E3AD22E263D77A6DC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.553{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Uninstall a program.lnk2023-01-16 12:49:00.859 23542300x800000000000000085233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.553{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Uninstall a program.lnkMD5=957C6A92988CB813A0EF90C021F266CF,SHA256=588A31053B19A3E8F5B4E7EF16AC9C45862EB097E9403739B59E0FD437D623EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.537{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini2023-01-16 12:49:00.859 23542300x800000000000000085231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.537{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\desktop.iniMD5=F107D0270E21A2FE91099FDC15918D44,SHA256=EB315C9D165B4916E3B00E4D148B53A6C03A2F0694A6A8821D98E76F935CA6A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.521{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AWS.EC2.WindowsUpdate.lnk2023-01-16 12:49:00.891 23542300x800000000000000085229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.521{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AWS.EC2.WindowsUpdate.lnkMD5=DA8BF763E2E5CF0BF5B15904D5F1A772,SHA256=8D2980A1D9335828E65E672DDEAEB176352BAA888E6577412A371EB79D6932BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.490{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AWS.EC2.WindowsUpdate (2).lnk2023-01-16 12:49:00.891 23542300x800000000000000085227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.490{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\AWS.EC2.WindowsUpdate (2).lnkMD5=5B1C20A061F29562B59F87845F26740F,SHA256=6A440962585B8EDB79692008F0799FC1A3997BF22C184485D2904EE528157313,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.475{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\read_it.txt2023-01-17 10:32:01.475 11241100x800000000000000085225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.475{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\All Tasks.lnk2023-01-16 12:49:00.922 23542300x800000000000000085224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.475{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\All Tasks.lnkMD5=B9B802C542FBC14A90643F3F8FDF8B94,SHA256=1FD2CF2D65BBA1F025C95F23B802EF8CB9EAE6BB19BCA602997B28AAED8B0375,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.459{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\read_it.txt2023-01-17 10:32:01.459 11241100x800000000000000085222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.459{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini2023-01-16 12:49:00.938 23542300x800000000000000085221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.459{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniMD5=99D72ADF4E683FA1E6F1A435FF5BE9B3,SHA256=873BCD7FC25E21142BDFCD6C8F2BEA3E294A055E3F132D8A2B3407ABA45074E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.459{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.459{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7E0A26BCF0515C19D1CF8F53A1736C,SHA256=97A474EE600342AD18D6A2CFFB7030C3A990536B5DB1815088E5A9828A526041,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.443{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\AccountPictures\read_it.txt2023-01-17 10:32:01.443 11241100x800000000000000085217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.443{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini2023-01-16 12:49:00.954 23542300x800000000000000085216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.443{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.iniMD5=08E1B7B2FD872CDCC42AF67707DC2A98,SHA256=4E252DBEE2058E1CF6F78FC67568759A8AD213BCAFE33192E55DD5712D7E4ABD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.428{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk2023-01-16 12:49:00.954 23542300x800000000000000085214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.428{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnkMD5=E80299553C7C86D6CB4B9FDB9146850F,SHA256=E3F290FF167E0B22C2EAFC8081068375AE963B7E277043BA047FE7DB9DD8BCA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (7).lnk2023-01-17 10:19:40.279 23542300x800000000000000085212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (7).lnkMD5=E80299553C7C86D6CB4B9FDB9146850F,SHA256=E3F290FF167E0B22C2EAFC8081068375AE963B7E277043BA047FE7DB9DD8BCA1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000085208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x800000000000000085206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000085203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000085202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.412{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000085197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000085195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 11241100x800000000000000085191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (6).lnk2023-01-16 12:49:00.970 734700x800000000000000085190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 23542300x800000000000000085189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (6).lnkMD5=E80299553C7C86D6CB4B9FDB9146850F,SHA256=E3F290FF167E0B22C2EAFC8081068375AE963B7E277043BA047FE7DB9DD8BCA1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000085187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000085186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000085182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.396{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000085180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.381{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (5).lnk2023-01-16 12:49:00.970 23542300x800000000000000085179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.381{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (5).lnkMD5=E80299553C7C86D6CB4B9FDB9146850F,SHA256=E3F290FF167E0B22C2EAFC8081068375AE963B7E277043BA047FE7DB9DD8BCA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.366{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (4).lnk2023-01-16 12:49:00.970 23542300x800000000000000085177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.366{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (4).lnkMD5=E80299553C7C86D6CB4B9FDB9146850F,SHA256=E3F290FF167E0B22C2EAFC8081068375AE963B7E277043BA047FE7DB9DD8BCA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.356{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (3).lnk2023-01-16 12:49:00.970 23542300x800000000000000085175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.356{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (3).lnkMD5=E80299553C7C86D6CB4B9FDB9146850F,SHA256=E3F290FF167E0B22C2EAFC8081068375AE963B7E277043BA047FE7DB9DD8BCA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.330{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (2).lnk2023-01-16 12:49:00.970 23542300x800000000000000085173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.330{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (2).lnkMD5=E80299553C7C86D6CB4B9FDB9146850F,SHA256=E3F290FF167E0B22C2EAFC8081068375AE963B7E277043BA047FE7DB9DD8BCA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.311{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk2023-01-16 13:05:04.950 23542300x800000000000000085171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.311{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnkMD5=B1D2717C394721CB0AB2C1DD72D8B29C,SHA256=28003563870418E2580A6D74C8C94C27D76BD11396DEE9DFC8C42C1B6F624DAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.295{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk2023-01-16 12:49:00.970 23542300x800000000000000085169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.295{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.280{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (7).lnk2023-01-17 10:19:40.399 23542300x800000000000000085167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.280{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (7).lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.265{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (6).lnk2023-01-16 12:49:00.985 23542300x800000000000000085165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.265{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (6).lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.249{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (5).lnk2023-01-16 12:49:00.985 23542300x800000000000000085163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.249{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (5).lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.232{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (4).lnk2023-01-16 12:49:00.985 23542300x800000000000000085161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.232{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (4).lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.217{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (3).lnk2023-01-16 12:49:00.985 23542300x800000000000000085159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.217{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (3).lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.201{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (2).lnk2023-01-16 12:49:00.985 23542300x800000000000000085157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.201{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (2).lnkMD5=F727CBB9351106B2DD46F3EF649F3176,SHA256=CF116B33831DE9F80847ABDB2A0D92AB3D3F956A8E209EC95D35D986EEA8C7B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.185{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\read_it.txt2023-01-17 10:32:01.185 11241100x800000000000000085155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.185{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini2023-01-16 12:49:01.001 23542300x800000000000000085154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.185{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.iniMD5=3E1903415FC4D2E8A5B70E6506A4610C,SHA256=7D464D098EF370E883F7289D09DFD4E346BDCB10BD19AD16BF818516D196E866,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.170{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk2023-01-16 12:49:00.954 23542300x800000000000000085152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.170{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnkMD5=DD26C664F5264C672B6C4C260ED79C73,SHA256=F8AF405FB4819223F8F55C0EE3C054D58998AF1560CEDEDEAEE35EA46A3497BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.154{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk2023-01-16 12:49:01.001 23542300x800000000000000085150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.154{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnkMD5=325B790BC93AD8D27655C44365B485C0,SHA256=78BE9C61505CD98110A9B9EAD83FAC552D5B89FC549988FC9050CDAFFB66F281,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.138{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\read_it.txt2023-01-17 10:32:01.138 11241100x800000000000000085148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.138{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini2023-01-16 12:49:01.001 23542300x800000000000000085147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.138{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniMD5=DEE294828EE7536D2F8C97BD714C8AF8,SHA256=BE29918EBC9503393EB28C8BF2026D8E240F08A087B1B6597F55E1D49A4B652F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.123{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Videos\read_it.txt2023-01-17 10:32:01.123 11241100x800000000000000085145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.123{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Videos\desktop.ini2023-01-16 12:49:00.608 23542300x800000000000000085144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.123{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Videos\desktop.iniMD5=50A956778107A4272AAE83C86ECE77CB,SHA256=B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.107{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000085142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.107{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29421FA2445901979558ABA3F5F9EE51,SHA256=F63F791457E8370CDA2783D9F6D416240CA2B362BA8341B0BE8AB4B83D55924F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.107{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Searches\read_it.txt2023-01-17 10:32:01.107 11241100x800000000000000085140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.091{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Searches\desktop.ini2023-01-16 12:49:00.623 23542300x800000000000000085139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.091{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Searches\desktop.iniMD5=089D48A11BFF0DF720F1079F5DC58A83,SHA256=A9E8AD0792B546A4A8CE49EDA82B327AD9581141312EFEC3AC6F2D3AD5A05F17,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.091{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Favorites\Links\read_it.txt2023-01-17 10:32:01.091 11241100x800000000000000085137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.091{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Favorites\Links\desktop.ini2023-01-16 12:49:00.639 23542300x800000000000000085136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.091{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Favorites\Links\desktop.iniMD5=3C106F431417240DA12FD827323B7724,SHA256=E469ED17B4B54595B335DC51817A52B81FCF13AAD7B7B994626F84EC097C5D57,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.076{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Favorites\read_it.txt2023-01-17 10:32:01.076 11241100x800000000000000085134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.076{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Favorites\desktop.ini2023-01-16 12:49:00.639 23542300x800000000000000085133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.076{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Favorites\desktop.iniMD5=881DFAC93652EDB0A8228029BA92D0F5,SHA256=A45E345556901CD98B9BF8700B2A263F1DA2B2E53DBDF69B9E6CFAB6E0BD3464,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.061{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Saved Games\read_it.txt2023-01-17 10:32:01.061 11241100x800000000000000085131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.061{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Saved Games\desktop.ini2023-01-16 12:49:00.623 23542300x800000000000000085130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.061{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Saved Games\desktop.iniMD5=B441CF59B5A64F74AC3BED45BE9FADFC,SHA256=E6FDF8ED07B19B2A3B8EFF05DE7BC71152C85B377B9226F126DC54B58B930311,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.048{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Music\read_it.txt2023-01-17 10:32:01.048 11241100x800000000000000085128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.048{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Music\desktop.ini2023-01-16 12:49:00.623 23542300x800000000000000085127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.047{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Music\desktop.iniMD5=06E8F7E6DDD666DBD323F7D9210F91AE,SHA256=8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.033{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Pictures\read_it.txt2023-01-17 10:32:01.033 11241100x800000000000000085125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.032{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Pictures\desktop.ini2023-01-16 12:49:00.623 23542300x800000000000000085124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.032{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Pictures\desktop.iniMD5=29EAE335B77F438E05594D86A6CA22FF,SHA256=88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.013{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\read_it.txt2023-01-17 10:32:01.013 11241100x800000000000000085122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.013{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\desktop.ini2023-01-16 12:49:00.639 23542300x800000000000000085121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:01.013{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\desktop.iniMD5=3A37312509712D4E12D27240137FF377,SHA256=B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.997{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Documents\read_it.txt2023-01-17 10:32:00.997 11241100x800000000000000085119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.997{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Documents\desktop.ini2023-01-16 12:49:00.639 23542300x800000000000000085118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:00.997{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Documents\desktop.iniMD5=ECF88F261853FE08D58E2E903220DA14,SHA256=CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.990{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000085879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.943{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x800000000000000085878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.943{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 11241100x800000000000000085877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.927{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.927{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4E0998AF4D6924980A393DA6DE357F,SHA256=4AF9B722BF9BF0E87BA42E5BA70EB7AAD21F231E8B970BEEF9D67C9BDEDF50A7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.911{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000085874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.911{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x800000000000000085873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.911{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x800000000000000085872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.896{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x800000000000000085871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.896{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x800000000000000085870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.880{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x800000000000000085869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.865{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046,IMPHASH=563B6F147961D943E0261E05EAD94B56trueMicrosoft WindowsValid 734700x800000000000000085868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.865{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x800000000000000085867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.850{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000085866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.850{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=3737D7B3A07BD11A31CD91B11F7EBA46,SHA256=528C1810C991DD93FA25D6A67A1415BC0A189189AEE0A62C0C79A43AA594E978,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x800000000000000085865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.834{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000085864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.834{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x800000000000000085863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.834{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x800000000000000085862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.831{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\msxml6.dll6.30.14393.5648MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=B82E1559DD59365F9C56E23434DA4FB6,SHA256=BA153BC8608EBE74778B362FFDA7805C7871199D6C9BD6819DC0239E84009900,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x800000000000000085861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.809{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\mmcndmgr.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Node Manager DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcndmgr.dllMD5=DDDF9C3B3B4CCFAAD35BA49B0864608F,SHA256=A8EE05699A2CE04D63D078C33A397ABE8D90AE6BC5F0156230620615B13A2F8B,IMPHASH=51AD9533DC3E1E0CFCFEECD129A51944trueMicrosoft WindowsValid 11241100x800000000000000085860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.805{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.805{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FB2C451AC8DC24529E23D565EB9329,SHA256=FD008EAFDBE60373B9BF159C2440304F74F415F623AD7FE486DF9787BF495B6F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.776{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x800000000000000085857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.783{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000085856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.782{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000085855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.782{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000085854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.782{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000085853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.782{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x800000000000000085852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.780{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000085851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.780{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.779{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000085849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.779{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000085848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.779{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000085847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.778{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000085846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.777{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x800000000000000085845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.766{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.766{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.766{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.765{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.765{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.765{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000085839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.759{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000085838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.758{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x800000000000000085837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.758{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000085836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.757{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 734700x800000000000000085835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.741{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x800000000000000085834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.751{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.751{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.751{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.751{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\mfc42u.dll6.06.8063.0MFCDLL Shared Library - Retail VersionMicrosoft (R) Visual C++Microsoft CorporationMFC42.DLLMD5=DD361EE0A665F41783E02CEA20285E61,SHA256=457BF44CC1BE99FD74983178AC34E83AEC2ED73DFEE9F9FC7F5F501AD8A6D03B,IMPHASH=5407FE666C5FCACC20F969C8CE05D993trueMicrosoft WindowsValid 734700x800000000000000085830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.742{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\mmcbase.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcbase.dllMD5=1C8D01FA2F46DA43580F66690E59F942,SHA256=24E48F93B6050D9DA4D1B93D07FCEA7F15AF8142BA8F4B8CFEF19FA670EB5B4E,IMPHASH=3A0957E0E673BE892DE6FEF53C3A2C7BtrueMicrosoft WindowsValid 734700x800000000000000085829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.732{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x800000000000000085828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.740{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000085827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.740{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000085826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.740{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.739{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.739{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.739{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.738{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.738{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000085820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.738{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.737{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.737{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.737{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.736{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.735{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.731{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 734700x800000000000000085813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.735{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.734{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.734{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exeMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9FtrueMicrosoft WindowsValid 734700x800000000000000085810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.733{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 10341000x800000000000000085809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.730{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.730{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.730{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.730{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.714{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\wbadmin.msc" delete catalog -quietC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet 10341000x800000000000000085804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.724{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.724{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.724{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000085801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.712{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000085800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.711{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 10341000x800000000000000085799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.710{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.709{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.709{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000085796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.707{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000085795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.707{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000085794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.707{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000085793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.707{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 10341000x800000000000000085792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.699{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.697{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 11241100x800000000000000085790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.696{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.696{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98139CE1D720965F474CC758A55333B,SHA256=2A49AF1781D99D1E7B602D7B59F669E10082ECBCA4ED10229B406A983E83D8B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.694{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.694{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.694{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000085785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.691{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000085784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.689{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.688{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.688{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x800000000000000085781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.687{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.687{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.687{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000085778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.686{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000085777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.685{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000085776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.683{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000085775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.682{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000085774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.681{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.681{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.681{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.681{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.680{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.680{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.680{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000085767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.680{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.679{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000085765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.679{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000085764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.679{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.679{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.678{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.678{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.678{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000085759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.678{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000085758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.677{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000085757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.677{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\cmdext.dll10.0.14393.0 (rs1_release.160715-1616)cmd.exe Extension DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCmdExt.DLLMD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5FtrueMicrosoft WindowsValid 734700x800000000000000085756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.673{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.670{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000085754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.667{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000085753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.666{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x800000000000000085752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.663{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.663{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.662{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000085749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.661{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000085748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.661{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.661{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000085746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.660{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000085745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.660{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000085744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.660{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000085743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.660{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000085742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.659{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000085741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.659{F172AD64-7922-63C6-5E02-00000000B002}32562452C:\Windows\system32\conhost.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.657{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.657{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.656{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000085737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.656{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.656{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.656{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x800000000000000068785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:02.866{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:02.866{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:02.866{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000068782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:02.772{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F77505D44C64A67D23610EAF25DAF95,SHA256=59200D7073B7474A30A513631415AE79FD685257C5A8C265F0149715CC1D672F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.655{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.655{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.655{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.654{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.654{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.654{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.654{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.654{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.653{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x800000000000000085725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.652{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x800000000000000085724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.652{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000085723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.651{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.651{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.650{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.650{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x800000000000000085719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.650{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.649{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.649{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.648{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.648{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x800000000000000085714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.648{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.647{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.647{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.647{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.647{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.647{F172AD64-791E-63C6-5102-00000000B002}48486480C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 154100x800000000000000085708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.647{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quietC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x800000000000000085707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.646{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.638{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\System32\bcdedit.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000085705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.635{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\System32\bcdedit.exeC:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exeMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6trueMicrosoft WindowsValid 734700x800000000000000085704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.626{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\System32\bcdedit.exeC:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exeMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6trueMicrosoft WindowsValid 734700x800000000000000085703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.637{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\System32\bcdedit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x800000000000000085702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.637{F172AD64-7922-63C6-5A02-00000000B002}24363816C:\Windows\system32\conhost.exe{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.636{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\System32\bcdedit.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.636{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\System32\bcdedit.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.635{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\System32\bcdedit.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000085698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.635{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.635{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.634{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.634{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.634{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.634{F172AD64-7922-63C6-5902-00000000B002}23241408C:\Windows\System32\cmd.exe{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.634{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} recoveryenabled noC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 10341000x800000000000000085691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.633{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5C02-00000000B002}6804C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.630{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\System32\bcdedit.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000085689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.628{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\System32\bcdedit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x800000000000000085688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.628{F172AD64-7922-63C6-5A02-00000000B002}24363816C:\Windows\system32\conhost.exe{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.627{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\System32\bcdedit.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.627{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\System32\bcdedit.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.626{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\System32\bcdedit.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000085684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.625{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.625{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.625{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.624{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.624{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.624{F172AD64-7922-63C6-5902-00000000B002}23241408C:\Windows\System32\cmd.exe{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.617{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 10341000x800000000000000085677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.617{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5B02-00000000B002}4516C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.612{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.609{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000085674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.606{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000085673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.605{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x800000000000000085672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.602{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.602{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.601{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000085669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.600{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000085668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.600{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.600{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000085666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.599{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000085665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.599{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000085664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.599{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000085663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.598{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000085662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.598{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000085661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.597{F172AD64-7922-63C6-5A02-00000000B002}24363816C:\Windows\system32\conhost.exe{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.595{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.595{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.595{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000085657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.594{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.594{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.594{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000085654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.593{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.593{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.593{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.592{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.592{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.592{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.592{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.592{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.591{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x800000000000000085645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.590{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x800000000000000085644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.590{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000085643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.589{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.589{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.588{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.588{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x800000000000000085639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.588{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5A02-00000000B002}2436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.587{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.587{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000085636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.586{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.586{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.586{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.586{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x800000000000000085632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.586{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.586{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.585{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.584{F172AD64-791E-63C6-5102-00000000B002}48484120C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 154100x800000000000000085628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.585{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x800000000000000085627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.584{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5902-00000000B002}2324C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.564{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\vsswmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI Provider for VSSMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSPROV.DLLMD5=74CBE3C22A64B107AFED820F00B9C98F,SHA256=F907E0CFD0B7B27BCF2D8D5C0D6E4C8E1B962E96C6D611A54B6E6877FDEA8130,IMPHASH=0CACD7A3A6C4A27F7C061428AA9D4886trueMicrosoft WindowsValid 734700x800000000000000085625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.571{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x800000000000000085624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.565{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x800000000000000085623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.564{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 734700x800000000000000085622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 11241100x800000000000000085621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.559{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.558{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEC18ED186369A9D0639D98DF191BAE,SHA256=27BA8D188C5E04CE1A832D286197D686D80D9838BF3DC11193F6B8D2ABB3FBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.553{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.552{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000085617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.552{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 10341000x800000000000000085616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.552{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.551{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7276F120FDDBC1EFF245E61E3463C5BF,SHA256=97DAF9AAF9C9EC9B28C9DE184A6550B48237AD615ABD088AD7659202E6A48B5B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msxml3.dll8.110.14393.5127MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=9D77BBEA5D618AC8D5218553D30E51FF,SHA256=E3B966541623884A78A09EA6D36269853B31FE31FB6DF90B48080F13E006F5DC,IMPHASH=A80F24725C5C87DCE74AE4F927273077trueMicrosoft WindowsValid 734700x800000000000000085613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.539{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x800000000000000085612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.537{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x800000000000000085611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.533{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x800000000000000085610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000085607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000085606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wininet.dll11.00.14393.5582 (rs1_release.221130-1719)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB2C069BBC0C6F01FCF8B8CC33B759F3,SHA256=20A51841566FBBADEE3D80FA2A5BCA22125CB60AB48D8C07868A0E104557D017,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 734700x800000000000000085605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000085604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000085599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000085597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000085596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000085595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.517{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x800000000000000085594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326EtrueMicrosoft WindowsValid 734700x800000000000000085592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x800000000000000085590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000085587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x800000000000000085586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000085585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x800000000000000085584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000085583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.501{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000085579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000085574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 10341000x800000000000000085573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5402-00000000B002}48922244C:\Windows\system32\conhost.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000085569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-7922-63C6-5302-00000000B002}65526884C:\Windows\System32\cmd.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.487{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic shadowcopy deleteC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete 734700x800000000000000085562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x800000000000000085561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\swprv.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service software providerMicrosoft® Windows® Operating SystemMicrosoft CorporationSWPRV.DLLMD5=BB18A83DAA37388826E376BA25C41665,SHA256=696B6C4A2458B54CDF878176CF962870FA01E624F504F4D99690F821CDFF8C8B,IMPHASH=85C9A7FB6885E63658BE40D658D042D0trueMicrosoft WindowsValid 10341000x800000000000000085560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.486{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5802-00000000B002}4388C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 354300x800000000000000068781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:31:59.646{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50333-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 734700x800000000000000085558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x800000000000000085556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.220929-2054)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=D5B0BD83918122D5D3AE6C6A01E0FC43,SHA256=EB6FBBEFD6B16EF0CD80356CE1AE6AF87478BBABED8B09BF29356A138782BB5E,IMPHASH=D73DA1D2C74E22057889487739A1CF17trueMicrosoft WindowsValid 734700x800000000000000085555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\mfcsubs.dll2001.12.10941.16384 (rs1_release.160715-1616)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationMFCSUBS.DLLMD5=5E86F41BCF9EA6B3527D273217C4D4A7,SHA256=8DC0AB5F336FE8DF2FE87DF350C67072C7287F971F3E45917C288A9C0B664EBC,IMPHASH=96EC2FEA777EB0F0B73CC9A2448A9866trueMicrosoft WindowsValid 734700x800000000000000085554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000085553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.470{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\catsrvut.dll2001.12.10941.16384 (rs1_release.221103-1703)COM+ Configuration Catalog Server UtilitiesMicrosoft® Windows® Operating SystemMicrosoft Corporationcatsrvut.DLLMD5=2F4032B8693945D2C509C0A8213B782A,SHA256=7F1127149C194950539F9925B4BFCF293DF375805CA801A9B6A505216E1A2B01,IMPHASH=D5E2BFCE361310D195CA06EA9E6D2433trueMicrosoft WindowsValid 734700x800000000000000085547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000085545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000085544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000085543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-6CE8-63C6-1100-00000000B002}6121648C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 734700x800000000000000085542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000085539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 10341000x800000000000000085538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000085536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 10341000x800000000000000085535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x800000000000000085533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000085532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x800000000000000085531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-6CE8-63C6-1100-00000000B002}6121648C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000085530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.5582 (rs1_release.221130-1719)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=83557C9B0E94FCB9D5181D928563991C,SHA256=11FAEB577FAF552BE4FF2275195CD0B3471228EE56C25D38DE5261BF87DF48BA,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924trueMicrosoft Windows PublisherValid 10341000x800000000000000085528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.454{F172AD64-6CE8-63C6-1100-00000000B002}6121648C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000085526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\fssprov.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft® File Server Shadow Copy ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationFSSPROV.DLLMD5=CA1D17E3A0ABF54000E69D104661A968,SHA256=3ED0BD9CFB6D6089A6F454BF1287A7DB8A4ADFB819CE5F8D52DA435A3F3DCF92,IMPHASH=430F50D6AA61D60A23D372ADC6175EF3trueMicrosoft WindowsValid 10341000x800000000000000085523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE6-63C6-0A00-00000000B002}616104C:\Windows\system32\services.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000085516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE6-63C6-0A00-00000000B002}6165072C:\Windows\system32\services.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x800000000000000085509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 11241100x800000000000000085508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.439{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exeC:\System Volume Information\RemoteVss\{89300202-3cec-4981-9171-19f59559e0f2}-{F32554AF-9E70-418D-B16E-7F58170EA763}.PMS2023-01-17 10:32:02.439 11241100x800000000000000085507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exeC:\System Volume Information\RemoteVss2023-01-17 10:32:02.423 10341000x800000000000000085506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-6CE8-63C6-1100-00000000B002}6121648C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 734700x800000000000000085505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000085503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000085502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000085501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.408{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.220929-2054)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=D5B0BD83918122D5D3AE6C6A01E0FC43,SHA256=EB6FBBEFD6B16EF0CD80356CE1AE6AF87478BBABED8B09BF29356A138782BB5E,IMPHASH=D73DA1D2C74E22057889487739A1CF17trueMicrosoft WindowsValid 10341000x800000000000000085500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=92CD5DA45ABA4CE45313783FCB345D99,SHA256=B0F20BE2B144056E488F8FF51E266F426625E64E3C91CCD17895A441A0935C46,IMPHASH=7712978A8D93CC3BE5668BB2C1A9F990trueMicrosoft WindowsValid 734700x800000000000000085497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000085496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.423{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x800000000000000085495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\authz.dll10.0.14393.4886 (rs1_release.220104-1735)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=A26BCF0FE442174708AA3DB7602B5A3D,SHA256=18D5690E120DFC6260C6D2E75BD84660824EAAF919B3CDF24C46AA1D18C301EB,IMPHASH=720B221BA6A01692F2370B4CCC197970trueMicrosoft WindowsValid 734700x800000000000000085494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05trueMicrosoft WindowsValid 734700x800000000000000085493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.408{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000085492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.408{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.408{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.408{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.408{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.408{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000085486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-6CE6-63C6-0A00-00000000B002}6165072C:\Windows\system32\services.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000085484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcd.dll10.0.14393.1794 (rs1_release.171008-1615)BCD DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationbcd.dllMD5=8CCF9CCA4EEEC2594793B33F487FD327,SHA256=6C0601675E07083C28199BB7933A2CF5EF3784DC243BD030EB963052C3C4D4CA,IMPHASH=13F6727DFBA0EC436911ACC99667406EtrueMicrosoft WindowsValid 734700x800000000000000085483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x800000000000000085482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000085481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000085480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000085479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x800000000000000085478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 734700x800000000000000085477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000085476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000085465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.392{F172AD64-6CE6-63C6-0A00-00000000B002}616104C:\Windows\system32\services.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.377{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\System32\services.exeC:\Windows\system32\services.exe 734700x800000000000000085458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.360{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 10341000x800000000000000085457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 734700x800000000000000085452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000085451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.361{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000085447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.360{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000085446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x800000000000000085445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8trueMicrosoft WindowsValid 11241100x800000000000000085444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890D6873CF6359B1C8C0A1344806044B,SHA256=9A63B204C5DAB70D28917F48B6DBE2876831219A82916EB24580733901AD4A46,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000085437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x800000000000000085436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.344{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000085427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5402-00000000B002}48922244C:\Windows\system32\conhost.exe{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000085423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5302-00000000B002}65526884C:\Windows\System32\cmd.exe{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.335{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEvssadmin delete shadows /all /quiet C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete 10341000x800000000000000085416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5502-00000000B002}6376C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.329{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000085414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000085413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000085412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x800000000000000085411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000085408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000085407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000085406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000085405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000085404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000085403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000085402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000085401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000085400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}48922244C:\Windows\system32\conhost.exe{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000085398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000085397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000085396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000085393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.313{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000085391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000085390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000085389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000085388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000085387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000085386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000085385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x800000000000000085384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x800000000000000085383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000085382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x800000000000000085378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5402-00000000B002}4892C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000085376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000085375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000085374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x800000000000000085373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-791E-63C6-5102-00000000B002}48484788C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 154100x800000000000000085367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.305{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x800000000000000085366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7922-63C6-5302-00000000B002}6552C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000085364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x800000000000000085363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000085362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000085361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000085360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.298{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x800000000000000085359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.283{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x800000000000000085358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.283{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x800000000000000085357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.283{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000085356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.283{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000085355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.283{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000085354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.283{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000085353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.283{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000085352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.283{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 11241100x800000000000000085351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.281{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Desktop\Firefox.lnk2023-01-16 13:05:04.278 23542300x800000000000000085350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.281{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Desktop\Firefox.lnkMD5=E321EF5E910BE8352A215B36B425372D,SHA256=2CAA69DE306ABB60B8B9F90A0F6D20DF1A1F63051E8DE4D0A94BF063F243D9AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.263{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Desktop\read_it.txt2023-01-17 10:32:02.263 11241100x800000000000000085348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.263{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Desktop\desktop.ini2016-07-16 13:23:24.617 23542300x800000000000000085347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.262{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Desktop\desktop.iniMD5=DC723B859DEC1526568AD581AEC334D5,SHA256=7148FBBF1AAC8B5A54D248DF19B60C00D3C0DCB2FD5BB2A1EFD4E0F0EAC6DD0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.248{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Videos\read_it.txt2023-01-17 10:32:02.248 11241100x800000000000000085345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.247{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Videos\desktop.ini2016-07-16 13:23:24.633 23542300x800000000000000085344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.247{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Videos\desktop.iniMD5=582BD0FACB013808C1C4804D894CD9FD,SHA256=D719C6796022F1E7C94A3208B6A488191E83C135067B6640DC5F7FCB872604E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.233{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Music\read_it.txt2023-01-17 10:32:02.233 11241100x800000000000000085342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.232{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Music\desktop.ini2016-07-16 13:23:24.633 23542300x800000000000000085341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.232{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Music\desktop.iniMD5=48F5AC70AAEDAFE403B362E41DA1E1D6,SHA256=F09A1312CD41AADC809249DC3A6F5D5318266B40FD74B9E714571419810131DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.216{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Pictures\read_it.txt2023-01-17 10:32:02.216 11241100x800000000000000085339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.215{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Pictures\desktop.ini2016-07-16 13:23:24.633 23542300x800000000000000085338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.215{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Pictures\desktop.iniMD5=2F145CCA0196FB928EE5656F2CFC2934,SHA256=73671D1BA8A835E74033F7E62AFB9371C98F01EFDD760A2D7093ABBFCAB7FAFA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.201{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Documents\read_it.txt2023-01-17 10:32:02.200 11241100x800000000000000085336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.200{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Documents\desktop.ini2016-07-16 13:23:24.617 23542300x800000000000000085335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.200{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Public\Documents\desktop.iniMD5=EC659B643B3DC5A57DAFA797BBC83871,SHA256=B18F9A899844D82F60FF3A1AB7FC9EFC4A7297D78C04BCDA65362B7BCE2C02A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.185{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled_DM.udl.xml2021-10-05 22:39:08.000 23542300x800000000000000085333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.185{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled_DM.udl.xmlMD5=3690CEF1865E32FE6BE1B2EC7656539A,SHA256=E45E49F0895249D951DF2C07E0F06CA1242E05C961DD921E5AA2781AE2E7FF25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.171{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\userDefineLangs\read_it.txt2023-01-17 10:32:02.170 11241100x800000000000000085331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.170{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled.udl.xml2021-10-05 23:01:12.000 23542300x800000000000000085330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.169{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled.udl.xmlMD5=672E6D5F89887666EC94711E442644E0,SHA256=B34FE6811DACFE49D77D434123867E866DAF6E0E27387A0446887DABE8943F04,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.152{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\plugins\config\read_it.txt2023-01-17 10:32:02.152 11241100x800000000000000085328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.152{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\plugins\config\converter.ini2023-01-17 10:26:13.190 23542300x800000000000000085327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.152{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\plugins\config\converter.iniMD5=F70F579156C93B097E656CABA577A5C9,SHA256=B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.142{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.142{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.142{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.141{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.141{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.141{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000085320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.126{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\tabContextMenu_example.xml2022-12-19 01:07:56.000 23542300x800000000000000085319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.126{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\tabContextMenu_example.xmlMD5=54032F2BB43144796DE77C2EFAE73781,SHA256=A54CA9B448E99F5FC2F5509F1226AC385B9513A870E6ADE58A40D4B483C2A100,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.110{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\stylers.xml2023-01-17 10:26:12.957 23542300x800000000000000085317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.110{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\stylers.xmlMD5=5C4E5F30BE3F7E610CD129EB066AFE8A,SHA256=A961CAF25FAF0CA7C254E1A236F7E573824FD7C76C214BA1577B82C7786D5268,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.090{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\shortcuts.xml2023-01-17 10:26:12.980 23542300x800000000000000085315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.090{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\shortcuts.xmlMD5=2DC05A7F88F066BB57E7C5253321E6B8,SHA256=9B99A1A29C4F1D1A3837A7DF9BDF44546E3756570F28BFA656DFFA70540E6534,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.070{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\langs.xml2023-01-17 10:26:12.908 23542300x800000000000000085313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.070{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\langs.xmlMD5=AF9F59AC6954E13D8D27947202DBF41E,SHA256=2A5C9ED414869E012D081BDAF0E3888803EB4508A49C7B74A69E4BC1E3F2DAD3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.040{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\read_it.txt2023-01-17 10:32:02.039 11241100x800000000000000085311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.039{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\contextMenu.xml2022-01-17 00:43:18.000 23542300x800000000000000085310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.039{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Notepad++\contextMenu.xmlMD5=A27CBD2FC47815EF8DAC7C86BBEC7AC7,SHA256=7FBFF0B764605A533B72C77A4B803E8455F748AE6317E24F293AAB619D59E005,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.021{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\read_it.txt2023-01-17 10:32:02.021 11241100x800000000000000085308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.021{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg2023-01-17 10:20:09.861 23542300x800000000000000085307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.021{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=C5D886418680B6C9B3D1C4BF8569B803,SHA256=3A7E8CB85F615C6510BBD6CD6F82F52F38F26D7095F069273E9AAD14C04D6666,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.006{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk2023-01-16 12:49:00.671 23542300x800000000000000085305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.006{F172AD64-791E-63C6-5102-00000000B002}4848ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnkMD5=C0BE19F80D148B348C3DE21AA3B5B7F4,SHA256=653BF59285BB4F514C0B95D3151C529D567863608177851D3FCE5946D272C4DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.983{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.983{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E485DF9466620A46C0A50378E0B7B37,SHA256=17105DA87731CFE51BFF655A514A2D4C31659EE62650AFC238922DEFB07D07AB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.936{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000085943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.873{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x800000000000000085942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.702{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\593f258c74fed800dfa0d8eaa94b3058\blbwizfx.ni.dll10.0.14393.4046 Microsoft (R) Windows (R) Operating SystemMicrosoft Corporationblbwizfx.dllMD5=CB7E3F14BBACBF40CED97B77B3748536,SHA256=D63705EA4D504F4D3DC8D62247484F30E7752610CA11C7CBF497B73EF2E1FDC5,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.702{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\081236d71e624bb84eae0aa75de7dca0\blbmmc.ni.dll10.0.14393.4046 Microsoft (R) Windows (R) Operating SystemMicrosoft Corporationblbmmc.dllMD5=BBE7A3BCE3C0BA0F2A6279E0AC86745A,SHA256=18F964AE86D44977C06A58E65A6C9E6858A917AE187597100DDEFEA58D29C44C,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.717{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 11241100x800000000000000085939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.686{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.686{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F372C3C1312E1549E38E40226C305C89,SHA256=D915F0D9D857CA91849B6E63CCD1D02FEAF62EBAE0410B46D832006D2D45662E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.577{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x800000000000000085936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.561{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5501_none_aec664b1ddd8c519\GdiPlus.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=C8D45154ED70BAC1BEEFD0189370A4BB,SHA256=9F85F30113189576460BAE5BF56327A4E3DB65B84E8933595260DA224C8811E8,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 734700x800000000000000085935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.530{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x800000000000000085934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.530{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\credui.dll10.0.14393.5648 (rs1_release.230105-1654)Credential Manager User InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationcredui.dllMD5=B1E6026E177671849991402EC273C5F0,SHA256=2847C2909FB10306257832F7780E4D821BF300DB7EAA8A6689FEDAE80981C125,IMPHASH=759BDFE8131F73A7B2386342DE7A7604trueMicrosoft WindowsValid 734700x800000000000000085933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.530{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_10.0.0.0__31bf3856ad364e35\blbproxy.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=97C8E61DB9A00244C5D3047F8C59E47F,SHA256=966D71D88823420C43ED6B1172AE4FA6AADF48B271048BADC2A4BD5A00456A8A,IMPHASH=0746B327FFA4FA1457971DD53A4314F6trueMicrosoft WindowsValid 11241100x800000000000000085932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.545{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\system32\mmc.exeC:\Windows\Logs\WindowsServerBackup\WBEngine.0.etl2023-01-17 10:32:03.545 11241100x800000000000000085931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.530{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\system32\mmc.exeC:\Windows\Logs\WindowsServerBackup2023-01-17 10:32:03.530 734700x800000000000000085930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.530{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\wsbsnapincommon\d8dbde9bd56745db43b49f0b61f656b5\wsbsnapincommon.ni.dll10.0.14393.4046 Microsoft (R) Windows (R) Operating SystemMicrosoft Corporationwsbsnapincommon.dllMD5=862281416B8C185EC89752983F1639D2,SHA256=5A7D1582CF9F8205E017992F3F87A193F76CAD544327C00D46B322DCA2377CCC,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.530{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000085928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.514{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\62064ab31fcca0276bc2e2f993620346\blbproxy.ni.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=79AD6BFE676691ED209E9145359821A0,SHA256=B969300E8585B019849D7B54B9B4DF58BB7B2123F2543AC597CA66253E4CAB3D,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.498{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\wsbmmc\a69393bf1a31441db5fc8d990f851cf0\wsbmmc.ni.dll10.0.14393.4046 Microsoft (R) Windows (R) Operating SystemMicrosoft Corporationwsbmmc.dllMD5=55FE5C2FBB68BC649994315298946EC8,SHA256=535CF71566D1F73A53F357573B88904CA772ED89794200F3AA40FE13DE9BD529,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.467{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\2b0459ad3f2eb18974de1cdbc97b02c1\Microsoft.ManagementConsole.ni.dll10.0.14393.4046MMCFxMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ManagementConsole.dllMD5=9C2800BB100B4CEF833B32491E0E7531,SHA256=2411E90534D64B67C56B691D95695111EEF120FAD61AF73221D73B6E64FFA114,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.467{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 11241100x800000000000000085924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.452{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 13:16:44.659 23542300x800000000000000085923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.452{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7E7566140194739FD65233849C39E65C,SHA256=8E2129EB09E95446F866B13D303C0A5ADC49758C0355217A40EAF0BD5325783C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.437{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 734700x800000000000000085921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.425{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\ee250b1baaf582c7ca2b351f2f3f5e1c\System.Windows.Forms.ni.dll4.8.4556.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=284300B512FE92853D650AAF7654D6BC,SHA256=FE18DCD6BC8C80D5D619EF185396A79DE86D785493BA0D21C66E6D70ADACD959,IMPHASH=00000000000000000000000000000000false-Unavailable 10341000x800000000000000085920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.422{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.422{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.422{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.421{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.421{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.421{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.416{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.416{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.416{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7921-63C6-5202-00000000B002}5428C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 734700x800000000000000085911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.290{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\bf80b8ac55fd40aced1d096250aac172\System.Drawing.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=C20190DA3D4B77A1662F026118F06968,SHA256=61EA726F02F345255C81371B7B124DB2FA9B4234BBE14E4DF8784DB752BD3D89,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.268{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\bcd5e36ccc17ee2507018f5d1b29e273\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=304F547F46EE61270FFA0DAD2DF6912B,SHA256=37CDD607A795FAB4BE194AB6EACECC81903EC2EC9ED2DDD4C4D24276A01E9F96,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.195{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\756aea5f9a7e26a91ee07676cce5ead5\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6874BA87C64A9BF0F5A5305D25654DE0,SHA256=B624880F49BC068F6766153AD605D4BBAF8ECFDC43A6335C3D2F0464764E9260,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.183{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\5973c019b0c7189c85b0900542d5f0ff\System.Core.ni.dll4.8.4590.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=8FD4D1C0E4FE382890C35514BE55E82D,SHA256=5C8462C3B08C87B8670303A35984818B47ACE440906864BD8A9CEEE12C804EAA,IMPHASH=00000000000000000000000000000000false-Unavailable 10341000x800000000000000085907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.167{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.167{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.167{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.167{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.167{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.166{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.161{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.161{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000085899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.161{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000085898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.095{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\4f21e1ecc93d56d6ec236e637c3557e3\MMCFxCommon.ni.dll10.0.14393.4046MMCFxCommonMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMMCFxCommon.dllMD5=CEBC3CAAB425FEC0CD8C3A98B2E9582D,SHA256=0C13DACDA3F3C634EDB1DA5F5C99AE6FDCF6CC67E590A74E2FDB261385601807,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.083{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\9157c6fb137f03baa106650aa8f0fac3\MMCEx.ni.dll10.0.14393.4046MMCExMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMMCEx.dllMD5=DC24BCF378EBF3C6EDB60AED6C59938D,SHA256=AB7E8CC28A86F44255DBED39DA909080A40853CE893DDF826B652D6BA01E287B,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.097{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000085895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.097{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 23542300x800000000000000068786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:03.870{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289C59EF823C40313053D2F2E62CD202,SHA256=6352F53BC5542982CDDF37AB10931A24918C4FF8EF369C2F55D3D0371F1390D4,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000085894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.096{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000085893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.096{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x800000000000000085892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.086{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000085891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.085{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000085890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.083{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000085889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.042{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\sxs.dll10.0.14393.5582 (rs1_release.221130-1719)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=F2A8CD581B7D437C69B57A11C3C45E5D,SHA256=43CE351FE5BBF22128A1A60EC5BE4C70B0BC1496AD276FF04A484F7B86921B0A,IMPHASH=1CD4F5164C272A4717A58FD86B640C54trueMicrosoft WindowsValid 734700x800000000000000085888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.042{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll4.8.4545.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000085887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.027{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=06E661551B61E29907B1CF0D4EBB955B,SHA256=E62035FBB0E5259597695708F9B10FDD5D5FF5459D659EAB880FA265E8E8DF2E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000085886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.027{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x800000000000000085885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.027{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x800000000000000085884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.027{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x800000000000000085883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.027{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 734700x800000000000000085882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.027{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x800000000000000085881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:03.027{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\System32\mmc.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 11241100x800000000000000085957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.973{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.973{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C821B9B6AF6DE6BEAB9F18230A65AE,SHA256=A579D717F624CF7470EE1D3CB1CFFC9BEF26D09C407AC576B01B12F39430704F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:02.183{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49476-false10.0.1.12-8000- 10341000x800000000000000085954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.448{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.448{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.447{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.446{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.446{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000085949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.446{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000085948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.263{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\system32\mmc.exeC:\Windows\Logs\WindowsServerBackup\WBEngine.0.etl2023-01-17 10:32:03.545 11241100x800000000000000085947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:04.200{F172AD64-7922-63C6-5F02-00000000B002}2104C:\Windows\system32\mmc.exeC:\Windows\Logs\WindowsServerBackup\WBEngine.0.etl2023-01-17 10:32:03.545 354300x800000000000000068787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:02.055{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50334-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:05.176{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B536207F58694BE61A6E51184EB58E2A,SHA256=5BE4DB0D41FC27656984DC4CE2FB8B17F40EE87501E0C3DA0652EAC6FF88E08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:06.272{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C368A35DA55373897A9753FF0B51558A,SHA256=6868A666D46C9F0D5FF90D0909752D19AB9A65787EA87BECE405BD32CDC21877,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:06.340{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db2023-01-17 10:32:06.340 11241100x800000000000000085959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:06.057{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:06.057{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23ACD139996E22FFBF1ADBE047C57FA2,SHA256=CD5BDC2B5FDB73B268ADA33145044B98D10A2C4CDA2019A16B055A220A92AE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:07.372{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDD0B358DB0609AE42D8186B6E7F75D,SHA256=F1F438344497964DA8B920887C4C00192901454E0A3870437FACC6B7D3E1C0E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.998{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.996{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000085967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.169{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.169{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DADCA3E0658F3C31576F540B8AFDBB,SHA256=B5B175056794DE7FBE1263EA32CAE27E89682C46459BC8B718379FE64FA3028F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.090{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.dbMD5=27FC75F221F544ACDE36E82350C708DB,SHA256=10268B5103F91A339BA231E0606EEDCBD993B50C220CA274C9E828AACE18E49D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.090{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000085963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.090{F172AD64-6CE7-63C6-0C00-00000000B002}8322108C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000085962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.075{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000085961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.075{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000068791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:08.581{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121FC6629EC5D0B2C100FDEE8DBAA907,SHA256=0BD2A05C428A78A169C82BA8EDE8A3C134516309367874CC18A239877F0CAE0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.163{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.159{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.154{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.152{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.151{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000085986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.148{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.148{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A8B646940A744F2DCF629ABE8A6E04,SHA256=4D942C8C8EC4BE6E60C6FB40A61E8892F6F88329DC82C93B08398F5C326BB80B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.145{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.142{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.140{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.138{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.133{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.123{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.118{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.111{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.103{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.092{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.061{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.051{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.045{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.037{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:08.030{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000068792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:09.891{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58EAA1EE4C430501E4CC9E6D4F346BD8,SHA256=0E6788E37DD8EDC0C7C6CEB42D2E8954B1282E7B024DB0E943CA7BF41E6A5F7D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000085994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:09.863{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg2023-01-17 10:20:09.861 11241100x800000000000000085993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:09.253{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000085992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:09.253{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F701F2D6C8A43EB43A2D70E49D755629,SHA256=CCEB0770139B19CC627838093E1F85EEFBFB0FC6DA9D0F2A94C6EDA8615B8A99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.585{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.584{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 11241100x800000000000000086005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.334{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.334{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA19AFAFA96B32481277E5E93BBE6FBF,SHA256=6687E9AB3ABE5539E16D48B318B3583D86EADBD04DFE105C4A0A08F8FC0CC621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.279{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.278{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.278{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000068793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:08.072{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50335-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000086000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.199{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.196{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.190{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000085997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.177{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 734700x800000000000000085996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:10.035{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 354300x800000000000000085995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:07.235{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49477-false10.0.1.12-8000- 11241100x800000000000000086032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.885{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.885{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361DE0A6CD30BB07BE9AFCF7809192FA,SHA256=1971029174A2216D94EBA7E91F01E09A685BE354EFFA6B32AB7AED41F8A970EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:11.007{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D22FC6621B80DD9D8814D017254D92,SHA256=DEB74204AA46164A64654E56755D9F8A0CB4456303D3EFA6C6BA535E6C517A11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.228{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.227{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.225{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.222{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.219{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.218{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.218{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.216{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.200{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.189{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.187{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.151{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.145{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.126{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.121{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.120{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.117{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.114{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.111{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.109{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.108{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.105{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000086008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:11.104{F172AD64-7640-63C6-CB01-00000000B002}61966584C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000180BE190) 10341000x800000000000000068808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.343{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-792C-63C6-4902-00000000B102}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.341{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.341{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.341{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.341{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.341{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.341{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.341{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.341{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.340{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.340{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-792C-63C6-4902-00000000B102}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.340{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-792C-63C6-4902-00000000B102}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.340{F6EEFE7F-792C-63C6-4902-00000000B102}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:12.104{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180DDA65C5534691B447F68CE5F5BE43,SHA256=ECD195200D117D459FA989EB3E612E46A89C0D3147C47DED53CD33DBD233D5C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:12.214{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000086033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:12.214{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7FC35623A290B91958463924A96BB256,SHA256=4C52B9CA520A4BD2F560E2869BFB9AA5C61E5E45CA27964F373D772FA59EC276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.439{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8293407A223DE3F07E891942A7CF1488,SHA256=03579F1B3EADDA2845D0EA8C2884BF24461F44BE34F1CA0EE16C7F713DDCF6BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.408{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.398{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 23542300x800000000000000068847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.391{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1B56FF334AE7ED438F82071699BD008,SHA256=A9A93695668F7B2D1813C69B67D83EA9F2BDDB33DEFC9659DE2CADC4763221A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.366{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.356{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.353{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.324{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.316{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 23542300x800000000000000068841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.308{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DF3F4DD7DB9CCE2202F99475CED5A0,SHA256=8877CAAA16DF9561464146B6785108AB06F1A3AFAF883F435EC40FE204F971E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.261{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.258{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.256{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.256{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.254{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.251{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.247{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.243{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.241{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.236{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.230{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.227{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.215{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.206{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 734700x800000000000000086037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:13.869{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 11241100x800000000000000086036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:13.027{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:13.027{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E496680089ADEF804223C00CFAB7EC,SHA256=99F1332EB41A78780B3FD19EC29C8DEF93AD6731E94656542B07101CCE3E1D2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.174{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.165{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.155{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.144{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.130{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.122{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.116{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.098{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.091{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000068809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.088{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 23542300x800000000000000068865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.591{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5125493BF18C4AE5A08D9F4D97B74DAE,SHA256=FB69039B4675A731A78625BFF532CDE36A33061A31808A85D22948B092DCF218,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.358{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-792E-63C6-4A02-00000000B102}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000068863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.351{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C22FC802AE902BE36765B6CB78288A50,SHA256=06932085C63432C21BC9CF1E706B0C616B7610A26B2BA7030485D88FEE39EB1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.350{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.350{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.350{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.350{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.350{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.350{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.350{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.349{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.349{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.349{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-792E-63C6-4A02-00000000B102}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.349{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-792E-63C6-4A02-00000000B102}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:14.348{F6EEFE7F-792E-63C6-4A02-00000000B102}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000086042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:12.355{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49478-false10.0.1.12-8000- 11241100x800000000000000086041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:14.135{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:14.135{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DA5B43CC152199A3AFBB83531873A8,SHA256=D9E6F391B05E713B734A78778619C1BF0901D924129E9D4DF69BDA67B15D3FD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:14.104{F172AD64-6CE8-63C6-0D00-00000000B002}8922084C:\Windows\system32\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:14.104{F172AD64-6CE8-63C6-0D00-00000000B002}8922084C:\Windows\system32\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000068881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.726{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595032BEE50FF5C3E23E215554471482,SHA256=D2664F3759B11F813E59938F62FB243F41D9258AEC917EFE0131CE18DD6C9BC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:15.224{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:15.224{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89DFB749DE7D9AA47A4CFAB20EF6D6F,SHA256=B1A54AD1ACC330B928087B43343ECB360C967CC351AD993E7ADAFF0E77041AD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:13.117{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50336-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000068879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.231{F6EEFE7F-792F-63C6-4B02-00000000B102}53645724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-792F-63C6-4B02-00000000B102}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-792F-63C6-4B02-00000000B102}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.029{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-792F-63C6-4B02-00000000B102}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:15.030{F6EEFE7F-792F-63C6-4B02-00000000B102}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.826{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE507D016CCA1B589924B05D97634294,SHA256=4FCDD12A13AB5C37F0BD4966C58B116FF168B9E9FB415F871AFC15A9F4EE9663,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:16.322{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:16.322{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF06A0751442D7E61A6216E2A2C61688,SHA256=8D7106FC2451AA15546124FAC24A9612759AEA019AABC2B33A3B74B2106C6444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.418{F6EEFE7F-7930-63C6-4C02-00000000B102}48724328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.380{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7930-63C6-4C02-00000000B102}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.380{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7930-63C6-4C02-00000000B102}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.379{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7930-63C6-4C02-00000000B102}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7930-63C6-4C02-00000000B102}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7930-63C6-4C02-00000000B102}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7930-63C6-4C02-00000000B102}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:16.228{F6EEFE7F-7930-63C6-4C02-00000000B102}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E266ED419BAF3F9DBF24C096C27C8E,SHA256=4EE2E552F90D5D9F51A1A720A8FB61EFA0D46FE941927DD695723A8CF33C0822,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7931-63C6-4E02-00000000B102}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7931-63C6-4E02-00000000B102}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.901{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7931-63C6-4E02-00000000B102}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.903{F6EEFE7F-7931-63C6-4E02-00000000B102}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000086048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:17.422{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:17.422{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90AD3EFB2674C268F64F8785C5FE212,SHA256=BD8BBAAC562713EF898DDB77B20082006463BF390F932257A6DDFB60BB959C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.375{F6EEFE7F-7931-63C6-4D02-00000000B102}11203636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7931-63C6-4D02-00000000B102}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7931-63C6-4D02-00000000B102}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.218{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7931-63C6-4D02-00000000B102}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:17.219{F6EEFE7F-7931-63C6-4D02-00000000B102}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000086051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:18.523{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:18.523{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6EFEC11D2A563B8A60E606AC60E84D,SHA256=C90FC6DB8CF60386764E260268CD4200E1DC59BB2EBAD1000E0B42787140A937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:18.477{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-050MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:18.077{F6EEFE7F-7931-63C6-4E02-00000000B102}42042660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000086049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:18.194{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:32:18.194 11241100x800000000000000086053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:19.613{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:19.613{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978F2CA42A4F06B58EFB6C23FFC7D739,SHA256=6330A97D8CCD51A28FA970AE92DBA6C2F5513428957931668FBA0079002FBEF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.523{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.523{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.523{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.523{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.523{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000068946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.523{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 23542300x800000000000000068945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.485{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000068933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000068932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.469{F6EEFE7F-7933-63C6-4F02-00000000B102}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:18.999{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC844C03C522AC232C66B90C4E43D05B,SHA256=0A3A12428DCB8C630D5EEA290E2E7E248076AD020FD9F193077DF652DA4FB0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:18.999{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6417BBC462E8736C31128766BE356338,SHA256=EB2773DB5ECFF545C2CE8942DDD9FF9B9AFFF9FE59A264920F445F2F53F4FC53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:19.100{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50337-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:20.100{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB24A3AC257A5AF77F179B7144F82B1,SHA256=7BB4DA05C820E9B8027AD9621A5264CC441E2305235C9F3F2690CCC7103E79DF,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.495{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000086103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.495{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000086102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.495{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000086101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.321{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.305{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000086099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.305{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000086098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.305{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000086097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.305{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.305{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000086095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.305{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000086094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.305{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000086093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.305{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000086092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000086091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.274{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000086090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.274{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000086089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000086088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000086087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000086083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.258{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000086079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000086077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000086076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000086075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000086074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000086073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.243{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000086072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000086071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000086066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000086065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.227{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.197{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000086060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.197{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.197{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.197{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.197{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.197{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.197{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.040{F172AD64-7934-63C6-6002-00000000B002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:21.171{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CE58FA71AC8E1EE3ECF086CA78A8B4,SHA256=E1AD623123FB4A1E90A491BA5F5638C3377EE3D2113DFAB89B5DB49442B9705B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000086216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\firefox.exe+208bb|C:\Program Files\Mozilla Firefox\firefox.exe+1e473|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 11241100x800000000000000086212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE142023-01-17 10:32:21.989 734700x800000000000000086211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 11241100x800000000000000086210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE142023-01-17 10:32:21.989 734700x800000000000000086209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 11241100x800000000000000086207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.974{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB52023-01-17 10:32:21.974 11241100x800000000000000086206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.974{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB52023-01-17 10:32:21.958 734700x800000000000000086205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000086204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000086203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000086201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000086194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}69286256C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+22299|C:\Program Files\Mozilla Firefox\firefox.exe+1e473|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.957{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2MediumMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000086187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}69286256C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\firefox.exe+208bb|C:\Program Files\Mozilla Firefox\firefox.exe+1e473|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000086182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000086179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.943{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000086178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.911{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.911{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.911{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.911{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 13241300x800000000000000086174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDBSetValue2023-01-17 10:32:21.911{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Mozilla Firefox\firefox.exeBinary Data 10341000x800000000000000086173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-6CE8-63C6-1300-00000000B002}6802916C:\Windows\System32\svchost.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-6CE8-63C6-1300-00000000B002}6802916C:\Windows\System32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.896{F172AD64-7634-63C6-B901-00000000B002}49006424C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\windows.storage.dll+fa4e|C:\Windows\System32\windows.storage.dll+fc51|C:\Windows\System32\windows.storage.dll+f88f|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x800000000000000086164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.882{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000086163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.308{F172AD64-7934-63C6-6102-00000000B002}67086672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.308{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000086161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.308{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000086160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.214{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.214{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38831335650E6B242BE5B36F8BBD2B9,SHA256=2578177CB1BF404DDBBDF01F0F526E753CDED2A3F0E5A2D054369CD31689BDF0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.214{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 11241100x800000000000000086157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.214{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000086156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.214{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E524C4F4B68C07F25E0D2962716FE484,SHA256=54BAB8201B6F97164FBF4F20C6F9122AD2822B9CC82647971347741F910F09A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.214{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F2D7FFCEC30FBC9E16BD3A8C352A837,SHA256=C242AF05BB83976C78008B35A4D03D6EB90B1FF2E4C99D4F0212149305F7CFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.214{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3B66DD7CB40C19944210AD372FD712C1,SHA256=7E0F0799460E1D62445B435F2F7C94E7F4399D29C365F684EAD97373440D4453,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.151{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.151{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000086151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000086150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000086149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000086147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000086146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000086145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000086144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000086143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000086142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000086141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000086140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000086139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000086138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000086137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.135{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000086136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000086135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000086134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000086133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000086132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000086131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000086129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000086121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000086117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 10341000x800000000000000086116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000086112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.120{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.933{F172AD64-7934-63C6-6102-00000000B002}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000086105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:18.324{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49479-false10.0.1.12-8000- 23542300x800000000000000068955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:22.251{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526DD2C075B75A7130B4994E030F5B70,SHA256=716F75DC17665DF86406737FA0B5861E889E36956925205BE5747B270B1AB2E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.872{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.872{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.872{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.871{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.871{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.871{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.847{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.847{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.847{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.825{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.825{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.825{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000086313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.209{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000086312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.208{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000086311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.207{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000086310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.160{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.160{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325CEB1E2D23E382FB100393AC4B670B,SHA256=97952168C8287DFB2B54D1E90B2D0D607E9E259978929DD3A7894E35FD5FCE6F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.052{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000086307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.052{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000086306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.052{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000086305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.052{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000086304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 11241100x800000000000000086303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.052{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.052{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FF35EEFA033595CBD51369DC586164,SHA256=7A586DEDA1B82DB1FFCC53DEC18E2E0BF1BCFF7A1AC4DFC078EE7E40D46E5F64,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.052{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000086300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000086299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000086298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.036{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.036{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000086296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.036{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000086295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.036{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000086294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.974{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000086293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000086291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000086290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000086289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000086288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000086287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000086283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000086281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000086280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.021{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000086279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 734700x800000000000000086277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000086276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.927{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\msvcp140.dll14.16.27033.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=C1B066F9E3E2F3A6785161A8C7E0346A,SHA256=99E3E25CDA404283FBD96B25B7683A8D213E7954674ADEFA2279123A8D0701FD,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000086275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000086274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000086273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000086271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000086270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000086267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000086266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000086265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000086264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000086263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000086261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000086260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000086259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000086258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000086253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000086249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000086246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000086244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.927{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 154100x800000000000000086241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.834{F172AD64-7935-63C6-6202-00000000B002}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000086240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.958{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000086239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000086238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000086237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000086236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000086235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000086234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000086233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000086232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.911{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\vcruntime140.dll14.16.27033.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=1453290DB80241683288F33E6DD5E80E,SHA256=2B7602CC1521101D116995E3E2DDFE0943349806378A0D40ADD81BA64E359B6C,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 10341000x800000000000000086229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x800000000000000086227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000086224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000086223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.911{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 734700x800000000000000086221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000086220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x800000000000000068956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:23.418{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2480DEEF08B570592F0C9596FD43971B,SHA256=B92D8A4F03CE2A1281DC8AD338E2CC8A9B59687500ECAAE3DBFBD600DFD03DA9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.983{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journal2023-01-17 10:32:23.983 11241100x800000000000000086554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.983{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite2023-01-17 10:32:23.983 734700x800000000000000086553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.983{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x800000000000000086552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.983{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x800000000000000086551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.983{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 11241100x800000000000000086550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.968{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.968{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE90EFB88BFFECDDF627BE65020475DD,SHA256=8753BDCC37F18FD7BD49D47A99F4E043BD39A2AB14F8986BFC6D2C773E6B6797,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x800000000000000086547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 10341000x800000000000000086546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x800000000000000086543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.944{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.943{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x800000000000000086541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.941{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.941{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.941{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000086538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.940{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000086537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.939{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:23.939{F172AD64-7937-63C6-6602-00000000B002}6688\chrome.2296.1.61462343C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000086535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.935{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:23.935{F172AD64-7937-63C6-6602-00000000B002}6688\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.934{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000086532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.931{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000086531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.930{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.929{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.927{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.927{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000086527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.927{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.927{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000086525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.927{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000086524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.927{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000086523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.923{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000086522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.923{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000086521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.923{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000086520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.923{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000086519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.923{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000086518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.923{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.923{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.923{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.922{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000086514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.921{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.921{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.918{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.918{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000086510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.918{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.918{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.918{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000086507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.917{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000086506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.917{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000086505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.917{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.917{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.917{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000086502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.917{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000086501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.917{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000086500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.917{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000086499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.916{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000086498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.916{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.916{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.916{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000086495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.915{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.915{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.914{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.914{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000086491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.914{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.914{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.914{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.913{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.913{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.913{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.913{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+1882cfb|C:\Program Files\Mozilla Firefox\xul.dll+9edbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.914{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.1.614623432\1439423449" -parentBuildID 20230104165113 -prefsHandle 1924 -prefMapHandle 1920 -prefsLen 19520 -prefMapSize 230565 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea284e7e-8f57-4d18-b76c-ff637dcba490} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 1952 179329fc658 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2MediumMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000086483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:23.913{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.1.61462343C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.908{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 10341000x800000000000000086481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.898{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.900{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.899{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.898{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.898{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x800000000000000086476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.894{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 11241100x800000000000000086475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.825{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000086474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.825{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.824{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 734700x800000000000000086472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.821{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000086471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.820{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000086470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.819{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x800000000000000086469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.815{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3,IMPHASH=77C2BDF68EAD031D294626FB2F3033A1trueMicrosoft WindowsValid 734700x800000000000000086468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.798{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000086467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.798{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x800000000000000086466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.798{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBB,IMPHASH=8D3297F500E5144336C044019A1ACFD4trueMicrosoft WindowsValid 734700x800000000000000086465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.782{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 10341000x800000000000000086464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.751{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:23.751{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.0.182574523C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000086462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:23.735{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000086459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000086458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000086454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000086452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000086451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000086450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000086449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000086448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000086447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000086443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000086440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000086439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000086438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000086437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000086436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000086435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000086430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.719{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.715{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.0.1825745235\1677925352" -parentBuildID 20230104165113 -prefsHandle 1664 -prefMapHandle 1484 -prefsLen 18770 -prefMapSize 230565 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19bf9fd0-5b8e-400e-a8f3-6ab7e91fd4b3} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 1824 17931e18258 socketC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000086422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.704{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000086395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:23.704{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.0.182574523C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000086394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:23.704{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.610{F172AD64-7935-63C6-6302-00000000B002}6928C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x800000000000000086392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.563{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite-journalMD5=547B2072D58C919470410923C58D4DB7,SHA256=CF79CB7F6AF483684889E58D2E0CBDCC521E30C24B84BF8DD23E7F7DE95863EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.563{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite-journal2023-01-17 10:32:23.485 23542300x800000000000000086390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.501{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite-journalMD5=D3E71268AC18701A33340BF633A524F4,SHA256=9AF1C236FFEF5A704A61079C34989847067038FB79D4A1DBDFA377E036E6528A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.501{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite-journal2023-01-17 10:32:23.485 23542300x800000000000000086388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.501{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite-journalMD5=004BE7E7627C28D05ADE2B546231CC66,SHA256=38B05215F2AC371B7119AF541D205394B630F6CE0EECDC268F2A4A73B478E236,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs.js2023-01-17 10:32:23.485 11241100x800000000000000086386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Extensions2023-01-17 10:32:23.485 11241100x800000000000000086385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\LocalLow\Mozilla\Temp-{5c252d2b-a1d2-4397-b641-2eb954aba43f}2023-01-17 10:32:23.485 11241100x800000000000000086384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\LocalLow\Mozilla2023-01-17 10:32:23.485 11241100x800000000000000086383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed2023-01-17 10:32:23.485 11241100x800000000000000086382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite-journal2023-01-17 10:32:23.485 11241100x800000000000000086381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries2023-01-17 10:32:23.485 11241100x800000000000000086380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache22023-01-17 10:32:23.485 11241100x800000000000000086379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite2023-01-17 10:32:23.485 734700x800000000000000086378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x800000000000000086377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x800000000000000086376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x800000000000000086375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 354300x800000000000000086374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.755{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49480-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000086373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:20.755{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49480-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 734700x800000000000000086372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3,IMPHASH=77C2BDF68EAD031D294626FB2F3033A1trueMicrosoft WindowsValid 11241100x800000000000000086371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CB2023-01-17 10:32:23.423 11241100x800000000000000086370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\startupCache2023-01-17 10:32:23.423 734700x800000000000000086369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000086368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000086367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000086366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x800000000000000086365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBB,IMPHASH=8D3297F500E5144336C044019A1ACFD4trueMicrosoft WindowsValid 11241100x800000000000000086364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\compatibility.ini2023-01-17 10:32:23.392 11241100x800000000000000086363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\.startup-incomplete2023-01-17 10:32:23.392 11241100x800000000000000086362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\crashes\events2023-01-17 10:32:23.392 11241100x800000000000000086361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\crashes2023-01-17 10:32:23.392 11241100x800000000000000086360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\minidumps2023-01-17 10:32:23.392 11241100x800000000000000086359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\parent.lock2023-01-17 10:32:23.392 11241100x800000000000000086358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb382023-01-17 10:32:23.392 11241100x800000000000000086357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini2023-01-17 10:32:23.392 11241100x800000000000000086356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\installs.ini2023-01-17 10:32:23.392 11241100x800000000000000086355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\o6dguptx.default\times.json2023-01-17 10:32:23.392 11241100x800000000000000086354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\o6dguptx.default2023-01-17 10:32:23.392 11241100x800000000000000086353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\o6dguptx.default2023-01-17 10:32:23.392 11241100x800000000000000086352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\times.json2023-01-17 10:32:23.392 11241100x800000000000000086351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release2023-01-17 10:32:23.392 11241100x800000000000000086350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles2023-01-17 10:32:23.392 11241100x800000000000000086349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release2023-01-17 10:32:23.392 11241100x800000000000000086348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles2023-01-17 10:32:23.376 11241100x800000000000000086347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox2023-01-17 10:32:23.376 11241100x800000000000000086346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla2023-01-17 10:32:23.376 11241100x800000000000000086345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\firefox\parent.lock2023-01-17 10:32:23.376 11241100x800000000000000086344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\firefox2023-01-17 10:32:23.376 11241100x800000000000000086343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime202301041651132023-01-17 10:32:23.376 11241100x800000000000000086342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Pending Pings2023-01-17 10:32:23.376 11241100x800000000000000086341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Crash Reports\events2023-01-17 10:32:23.376 11241100x800000000000000086340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Crash Reports2023-01-17 10:32:23.376 11241100x800000000000000086339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox2023-01-17 10:32:23.376 11241100x800000000000000086338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla2023-01-17 10:32:23.376 734700x800000000000000086337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000086336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000086335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000086334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x800000000000000086333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x800000000000000086332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000086331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000086330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000086328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 11241100x800000000000000086327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.219{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.219{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D35B8726CC6600ED08B823A91D89A07,SHA256=27D73996F13D381230B969FFC809F237208E39D965FB8B843B1BDBD35EBEC0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:24.637{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2901DFDDB672CD77F95069DF3BFD035C,SHA256=946D0CAC0B0560659315D85C885839E20B27A249CD66CDD0B560A4DA59F68772,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.990{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavutil.dll108.0.2-FirefoxMozilla Foundationmozavutil.dllMD5=6867D0951F37AE86D9BAC1C7ABD95343,SHA256=605191D98C158E9201284627A061D3B6C814C8E919330B69353F791597C096AA,IMPHASH=9FA5AE0F98A584516538DC6DFC2A14DDtrueMozilla CorporationValid 10341000x800000000000000087133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.989{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.989{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.988{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.988{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.920{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.920{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.919{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.919{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.919{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.919{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000087123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.890{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000087122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.890{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E129CC1A2A16CE31B381B1E1B2EC5F9,SHA256=652831B278CA58403EF4D48C3BF4EAA22F0284557C8A11D1CC4CA3CD27FA502C,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000087121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.882{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000087120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.882{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-2C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000087119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.877{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000087118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.877{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000087117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.836{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 10341000x800000000000000087115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.835{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.831{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000087113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.829{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000087112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.829{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000087111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.825{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 11241100x800000000000000087110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.825{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\791dc939bf1885722023-01-17 10:32:24.825 11241100x800000000000000087109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.825{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\866e007ca113911e2023-01-17 10:32:24.825 11241100x800000000000000087108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.825{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\84fd7c01a641b8072023-01-17 10:32:24.824 11241100x800000000000000087107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.825{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\d568e0bcd74a0e822023-01-17 10:32:24.823 10341000x800000000000000087106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.824{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.824{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.823{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\90f4c8b7c2320c272023-01-17 10:32:24.823 734700x800000000000000087103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.823{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000087102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.822{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x800000000000000087101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.820{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.820{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.820{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000087098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.819{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000087097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.819{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000087096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.818{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000087095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.818{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000087094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.817{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000087093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.812{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000087092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.812{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000087091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.811{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000087090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.800{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.798{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000087088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.798{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000087087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.797{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.3574329096232033594C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.797{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 17141700x800000000000000087085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.796{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.3574329096232033594C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000087084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.796{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.795{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.4.141120481C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000087082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.792{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.791{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.767{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000087079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.786{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000087078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.785{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000087077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.785{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000087076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.784{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000087075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.784{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000087074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.784{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000087073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.783{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000087072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.783{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000087071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.782{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000087070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.782{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000087069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.781{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000087068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.780{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000087067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.779{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000087066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.779{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000087065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.779{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000087064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.779{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000087063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.778{F172AD64-7938-63C6-6702-00000000B002}43405912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.778{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000087061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.778{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000087060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.778{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000087059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.697{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\avrt.dll10.0.14393.2969 (rs1_release.190503-1820)Multimedia Realtime RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationavrt.dllMD5=8EC9E2490A9FFA637115F758B22FFF78,SHA256=1A3295CBF09E9367CCE68505D949D724FB9B66B4516770B7D594273C3BCFC5B8,IMPHASH=F266C00A61E480BB0A81B1A89DB30014trueMicrosoft WindowsValid 734700x800000000000000087058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.776{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000087057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.775{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000087056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.774{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000087055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.774{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.774{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000087053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.579{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88ED,IMPHASH=6097EA32A6AE2378711DDF884725A2AFtrueMicrosoft WindowsValid 734700x800000000000000087052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.772{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000087051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.772{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000087050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.770{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000087049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.769{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000087048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.768{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000087047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.768{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000087046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.767{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000087045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.766{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000087044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.766{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000087043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.766{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000087042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.764{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 10341000x800000000000000087041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.763{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+f6d8c2|C:\Program Files\Mozilla Firefox\xul.dll+b87a13|C:\Program Files\Mozilla Firefox\xul.dll+252ddf|C:\Program Files\Mozilla Firefox\xul.dll+252b6a|C:\Program Files\Mozilla Firefox\xul.dll+f8a3dd|C:\Program Files\Mozilla Firefox\xul.dll+1098347|C:\Program Files\Mozilla Firefox\xul.dll+e6c414|C:\Program Files\Mozilla Firefox\xul.dll+c36b5c|C:\Program Files\Mozilla Firefox\xul.dll+c3407d|C:\Program Files\Mozilla Firefox\xul.dll+259ab7|C:\Program Files\Mozilla Firefox\xul.dll+2595e3|C:\Program Files\Mozilla Firefox\xul.dll+105b67f|C:\Program Files\Mozilla Firefox\xul.dll+1896cd9|C:\Program Files\Mozilla Firefox\xul.dll+1895150|C:\Program Files\Mozilla Firefox\xul.dll+c36636|C:\Program Files\Mozilla Firefox\xul.dll+240641|C:\Program Files\Mozilla Firefox\xul.dll+cf3efe|C:\Program Files\Mozilla Firefox\xul.dll+1884dfb|C:\Program Files\Mozilla Firefox\xul.dll+1839c21|C:\Program Files\Mozilla Firefox\xul.dll+1ce604a|C:\Program Files\Mozilla Firefox\xul.dll+1e42f11|C:\Program Files\Mozilla Firefox\xul.dll+183a008 734700x800000000000000087040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.763{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000087039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.762{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e7db2c|C:\Program Files\Mozilla Firefox\xul.dll+e80264|C:\Program Files\Mozilla Firefox\xul.dll+c36e71|C:\Program Files\Mozilla Firefox\xul.dll+c3407d|C:\Program Files\Mozilla Firefox\xul.dll+259ab7|C:\Program Files\Mozilla Firefox\xul.dll+2595e3|C:\Program Files\Mozilla Firefox\xul.dll+105b67f|C:\Program Files\Mozilla Firefox\xul.dll+1896cd9|C:\Program Files\Mozilla Firefox\xul.dll+1895150|C:\Program Files\Mozilla Firefox\xul.dll+c36636|C:\Program Files\Mozilla Firefox\xul.dll+240641|C:\Program Files\Mozilla Firefox\xul.dll+cf3efe|C:\Program Files\Mozilla Firefox\xul.dll+1884dfb|C:\Program Files\Mozilla Firefox\xul.dll+1839c21|C:\Program Files\Mozilla Firefox\xul.dll+1ce604a|C:\Program Files\Mozilla Firefox\xul.dll+1e42f11|C:\Program Files\Mozilla Firefox\xul.dll+183a008|C:\Program Files\Mozilla Firefox\xul.dll+1ce604a 734700x800000000000000087038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.762{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.762{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000087036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.762{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.573{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94C,IMPHASH=98E0DBCEA076EF80E7DE241072E34656trueMicrosoft WindowsValid 10341000x800000000000000087034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.757{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.756{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.756{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.756{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.756{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.756{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.756{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.4.1411204816\1187222509" -childID 3 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 21956 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c1d6ed8-be3e-4942-baf0-e40e9dd51d3d} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 3540 179388af058 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000087027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.754{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.520{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\evr.dll10.0.14393.2515 (rs1_release_1.180830-1044)Enhanced Video Renderer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationevr.dllMD5=4F00E99C3E92226B072C0E80D52A82F4,SHA256=7788212BD473C69B3C8F6705A7470BE783BE0244BC289334EFA579AAD2C9A91C,IMPHASH=C44CF843A574B60FED1B4D29827EBA14trueMicrosoft WindowsValid 10341000x800000000000000087025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.754{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.754{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.754{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.754{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.753{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.753{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.753{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.753{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.753{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.752{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.752{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.752{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.752{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.752{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.751{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.751{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.751{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.751{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.751{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.750{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.750{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.750{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.750{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.749{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.749{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000087000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.747{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.4.141120481C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000086999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.746{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.745{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.741{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000086996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.502{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxva2.dll10.0.14393.0 (rs1_release.160715-1616)DirectX Video Acceleration 2.0 DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdxva2.dllMD5=DE24CAC5A0B3CE1AD8057FE258712365,SHA256=5CA1E7FBA01D92AA3F933A00E495460DC5DB38DAD2CAD370782474F50F9C964E,IMPHASH=338B9EB254A5341CE890B2511DF3DFAEtrueMicrosoft WindowsValid 734700x800000000000000086995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.739{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 11241100x800000000000000086994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.738{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm2023-01-17 10:32:24.715 11241100x800000000000000086993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.738{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal2023-01-17 10:32:24.714 734700x800000000000000086992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.738{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 23542300x800000000000000086991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.737{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-walMD5=4D77B1788D754493F1CFED6322FB595C,SHA256=E27D9D75DABD2954FDCF3BC786C84A82543026DDD15CBB2C2760A211F39CBA07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.735{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=DC118F11157A4C79172E521B69AD9352,SHA256=C120481F3531C1A2A3ECDC405B60178F0C25F52DC6B79C465D98508AFA02DD42,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.487{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mf.dll10.0.14393.5582 (rs1_release.221130-1719)Media Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmf.dllMD5=1D9ED89EC36FB43303418F557A8B7893,SHA256=20F02D55E45A5EED892A92145FB9244A4F658E73F57048374E327B9504F021F6,IMPHASH=224763A9487AA02E14432742CBC2F08EtrueMicrosoft WindowsValid 734700x800000000000000086988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.734{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000086987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.733{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.733{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.733{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 11241100x800000000000000086984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.732{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.731{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693887E2A3F063F1E826589150737B4F,SHA256=7B502767B346994EDD0F59C2ACDB5C80A2CDE0EA9CE47DCD06B6C2508B19E1B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.730{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files2023-01-17 10:32:24.730 734700x800000000000000086981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.730{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000086980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.727{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000086979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.727{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000086978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.726{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000086977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.726{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000086976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.725{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000086975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.479{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MSAudDecMFT.dll10.0.14393.206 (rs1_release.160915-0644)Media Foundation Audio DecodersMicrosoft® Windows® Operating SystemMicrosoft CorporationMSAudDecMFT.dllMD5=899A520E5B6B8631DF6863BBD33A4264,SHA256=2A23CAF4CC2D11A20574EDE1755D03F4FF1ECDCE3D626A69D85CFE46703BC97D,IMPHASH=564825227B20C446A4E5874DD1BAF1FAtrueMicrosoft WindowsValid 734700x800000000000000086974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.719{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000086973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.718{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000086972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.717{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 11241100x800000000000000086971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.715{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm2023-01-17 10:32:24.715 11241100x800000000000000086970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.714{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal2023-01-17 10:32:24.714 23542300x800000000000000086969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.714{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-journalMD5=A0325B4AFBC0BE2250773F3BCB47FFA0,SHA256=4BADC4BD0464F296D7395648257D6E1DA221BCB5326A4C17CC6B5F8366901498,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.466{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.5127Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=949437310EC0EB86F6B5985189C513C8,SHA256=A3751817F2212BFA84BC21D22B06DDEC1B64DD54C532F5902AED9BDD934C99DA,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 11241100x800000000000000086967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.702{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-journal2023-01-17 10:32:24.673 10341000x800000000000000086966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.701{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.455{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msdmo.dll10.0.14393.0 (rs1_release.160715-1616)DMO RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdmo.dllMD5=3246C9C5ECF6555103C7119161ACC8C8,SHA256=3A29292F04B09A91C305062E00756194A83BDEA3ABB1BFB783D908E6D1BEBFBC,IMPHASH=B5AB2AA782AD334C5633AAE30A2CFF41trueMicrosoft WindowsValid 734700x800000000000000086964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.699{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 18141800x800000000000000086963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.698{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.13508192545218878240C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000086962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.698{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.13508192545218878240C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000086961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.698{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-journalMD5=C1A2EAAA03063762E1300427D5E8592C,SHA256=5A444EBB77EA5E133A3A1DF9746D3269174A7D0F3264ECC2EF29F53A69A5AA46,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.697{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 11241100x800000000000000086959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.688{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000086958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.688{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x800000000000000086957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.688{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06912995FD153BEA1CB81C64E47AB48E,SHA256=876E680EF5A332E048F404402DB02B688CDAFD2E18F8391E43D471FD03E84B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.688{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.688{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.3.142688569C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000086954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.685{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.684{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.451{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MP3DMOD.DLL10.0.14393.0 (rs1_release.160715-1616)Microsoft MP3 Decoder DMOMicrosoft® Windows® Operating SystemMicrosoft Corporationmp3dmod.dllMD5=A9B35CD3C0A14AE1B9DAA8E4114B8E49,SHA256=25142AF94A5C151055C5DAAB89D183F923CE47EE61D8D3B38DE2BC833FC16E18,IMPHASH=33FA1A40805F452D7ED8E842BB1DA59BtrueMicrosoft WindowsValid 734700x800000000000000086951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.446{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\libEGL.dll2.1.15728 git hash: 6a5622459d2cANGLE libEGL Dynamic Link LibraryANGLE libEGL Dynamic Link Library-libEGL.dllMD5=3C09A6DE1DFADECCC70455DA2F665CDA,SHA256=60F3CDFC2987B375C3C89C73C1F71A3E49D0FE13EB343641BF750D912D9D33BA,IMPHASH=E386D79B5B48C575AABEA6668825B1F2trueMozilla CorporationValid 734700x800000000000000086950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.444{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 734700x800000000000000086949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.678{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 11241100x800000000000000086948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 734700x800000000000000086947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.678{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 23542300x800000000000000086946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.677{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.677{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.677{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.676{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.676{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000086941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.676{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.675{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000086939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.675{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000086938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.674{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 11241100x800000000000000086937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.674{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 11241100x800000000000000086936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.673{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-journal2023-01-17 10:32:24.673 18141800x800000000000000086935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.673{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000086934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.673{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-0C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.673{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 11241100x800000000000000086932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.673{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 11241100x800000000000000086931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite2023-01-17 10:32:24.672 23542300x800000000000000086930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.672{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E727F19FC419CB379E365098935E003,SHA256=6D281D4B90C53703EE922346CEEA760C343DE242D1D68F1323FB70E98DBFA999,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.672{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000086928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.671{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000086927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.671{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.670{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.670{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.670{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000086923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.669{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.669{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 10341000x800000000000000086921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.668{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.668{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000086919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.667{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.666{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.666{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.666{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000086915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.442{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=44DF25F229E9374FA1290BE1CA03026B,SHA256=A446A296E85934FD9D10D7BD5B086FE6B4972FD7E93D4CC0ADC1068DD7A5AD81,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 734700x800000000000000086914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.664{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.664{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000086912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.664{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.662{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000086910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.662{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000086909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.661{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000086908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.660{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000086907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.660{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000086906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.660{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000086905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.659{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000086904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.657{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000086903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.657{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.649{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000086901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.649{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.649{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.649{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000086898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.647{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.646{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.645{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000086895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.644{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.642{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 734700x800000000000000086893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.642{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000086892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.642{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x800000000000000086891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.639{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.638{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.637{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000086888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.637{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000086887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.637{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000086886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.630{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 10341000x800000000000000086885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.629{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e7db2c|C:\Program Files\Mozilla Firefox\xul.dll+e80264|C:\Program Files\Mozilla Firefox\xul.dll+c36e71|C:\Program Files\Mozilla Firefox\xul.dll+c3407d|C:\Program Files\Mozilla Firefox\xul.dll+259ab7|C:\Program Files\Mozilla Firefox\xul.dll+2595e3|C:\Program Files\Mozilla Firefox\xul.dll+105b67f|C:\Program Files\Mozilla Firefox\xul.dll+1896cd9|C:\Program Files\Mozilla Firefox\xul.dll+1895150|C:\Program Files\Mozilla Firefox\xul.dll+c36636|C:\Program Files\Mozilla Firefox\xul.dll+239e6d|C:\Program Files\Mozilla Firefox\xul.dll+209c5a|C:\Program Files\Mozilla Firefox\xul.dll+814471|C:\Program Files\Mozilla Firefox\xul.dll+18702d7|C:\Program Files\Mozilla Firefox\xul.dll+19588c1|C:\Program Files\Mozilla Firefox\xul.dll+1b4492f|C:\Program Files\Mozilla Firefox\xul.dll+183e417|C:\Program Files\Mozilla Firefox\xul.dll+1e4f0dd 10341000x800000000000000086884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.627{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.627{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.627{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.626{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.625{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.626{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.3.1426885699\378035753" -childID 2 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 20874 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06c4a15f-fdaf-4c66-b2e0-a98c3ca05fd7} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 3232 17937f73b58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000086878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.441{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfperfhelper.dll10.0.14393.0 (rs1_release.160715-1616)MFPerf DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfperfhelper.dllMD5=DAD53152E620AB1D256F531CCDDF4C96,SHA256=577A697C088A319A9839989E18548F46121E661D56C701DE0360905E814BC12D,IMPHASH=A00BC62B03D75EE2D584A9E7EFBA79A6trueMicrosoft WindowsValid 734700x800000000000000086877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.625{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000086876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.434{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 10341000x800000000000000086875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.625{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.625{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.625{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.625{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.623{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.621{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.621{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.621{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.621{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.621{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.621{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.620{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.620{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.620{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.620{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.619{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.619{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.616{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 17141700x800000000000000086848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.614{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.3.142688569C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.434{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 10341000x800000000000000086846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.598{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.582{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000086844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.425{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\osclientcerts.dll108.0.2-FirefoxMozilla Foundationosclientcerts.dllMD5=487E5715133ED1ED9C41DD03A6C9E9BC,SHA256=2F30860E1737BDFBECC4F25CC4436CD9557AC1F0A02E579D4A7099B073B2565A,IMPHASH=C212EEF2AF1A338FE7CDF1A526EB3D05trueMozilla CorporationValid 734700x800000000000000086843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.581{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000086842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.418{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msmpeg2vdec.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft DTV-DVD Video DecoderMicrosoft® Windows® Operating SystemMicrosoft CorporationMSMPEG2VDEC.dllMD5=A1848B7EAD4E9B656A947F047AF2ADD9,SHA256=A80DCB59A565170E9A16E31DEB03FF0564D7DC3505FA83EAD96AC02FEDB87681,IMPHASH=6B91AF8A332F21F82F6117F8D9E0B8DBtrueMicrosoft WindowsValid 734700x800000000000000086841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.580{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 18141800x800000000000000086840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.579{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.7738699895437590023C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000086839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.579{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.7738699895437590023C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000086838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.576{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.576{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.2.118772298C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000086836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.574{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000086835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.574{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.571{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 10341000x800000000000000086833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.568{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000086832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:24.568{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.562{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000086830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.561{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000086829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.561{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.407{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wininet.dll11.00.14393.5582 (rs1_release.221130-1719)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB2C069BBC0C6F01FCF8B8CC33B759F3,SHA256=20A51841566FBBADEE3D80FA2A5BCA22125CB60AB48D8C07868A0E104557D017,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 11241100x800000000000000086827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.548{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\5e4905fc7a6518912023-01-17 10:32:24.548 734700x800000000000000086826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.546{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.545{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000086824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.544{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000086823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.544{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000086822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.541{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.540{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000086820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.539{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000086819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.538{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000086818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.531{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000086817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.530{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.530{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.529{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000086814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.529{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000086813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.524{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000086812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.521{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000086811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.517{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000086810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.517{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000086809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.516{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000086808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.516{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000086807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.515{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.515{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000086805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.515{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000086804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.514{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000086803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.513{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000086802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.512{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000086801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.511{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.511{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.510{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.510{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000086797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.510{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000086796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.508{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000086795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.508{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000086794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.507{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000086793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.498{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000086792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.498{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000086791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.498{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000086790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.497{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000086789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.497{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.497{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.497{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000086786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.496{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000086785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.496{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000086784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.494{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000086783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.494{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000086782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.487{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000086781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.487{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000086780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.486{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000086779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.486{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000086778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.486{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000086777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.485{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000086776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.485{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000086775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.485{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.485{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000086773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.485{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000086772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.485{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000086771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.485{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 11241100x800000000000000086770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.483{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache2023-01-17 10:32:24.483 10341000x800000000000000086769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.483{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.483{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000086767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.483{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.482{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.482{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.407{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nssckbi.dll108.0.2-FirefoxMozilla Foundationnssckbi.dllMD5=F1B860CD2183C25862A29CDE67802202,SHA256=31DFAD535293EFD77C71BC7F60D04940C57C8D651E8C6EDED9DFA66258BD321C,IMPHASH=70342998BF17D9C9CCA244F43D47ED74trueMozilla CorporationValid 734700x800000000000000086763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.481{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000086762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.481{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.481{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x800000000000000086760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.481{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.481{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.481{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.481{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.479{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.332{F172AD64-7938-63C6-6702-00000000B002}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000086754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.477{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000086753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.476{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000086752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.475{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000086751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.475{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000086750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.474{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000086749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.376{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d9.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Direct3D 9 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D9.dllMD5=98326410B37312F3A57E8040250BDC32,SHA256=ADDEE549568ABA1E45C6868D76162F5DE6E58CBD83C43429EA0F9868ECA3DC42,IMPHASH=A3F81B60CD48F233C949F2E60B5C9AD4trueMicrosoft WindowsValid 734700x800000000000000086748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.474{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000086747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.472{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000086746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.471{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000086745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.462{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000086744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.361{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\libGLESv2.dll2.1.15728 git hash: 6a5622459d2cANGLE libGLESv2 Dynamic Link LibraryANGLE libGLESv2 Dynamic Link Library-libGLESv2.dllMD5=D8792D1B91C116A1ACB9256C5748E539,SHA256=6959E25AAC606F99EDFD8D432F9C42208D256B773681BC3FD9045D8BDA384396,IMPHASH=9C93EB7B45483B70F61CD7FFF1A70E51trueMozilla CorporationValid 10341000x800000000000000086743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.455{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.455{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.455{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.455{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.455{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000086738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.455{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000086737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.071{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64403- 10341000x800000000000000086736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.445{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+f6d8c2|C:\Program Files\Mozilla Firefox\xul.dll+b87a13|C:\Program Files\Mozilla Firefox\xul.dll+252ddf|C:\Program Files\Mozilla Firefox\xul.dll+252b6a|C:\Program Files\Mozilla Firefox\xul.dll+f8a3dd|C:\Program Files\Mozilla Firefox\xul.dll+1098347|C:\Program Files\Mozilla Firefox\xul.dll+e6c414|C:\Program Files\Mozilla Firefox\xul.dll+c36b5c|C:\Program Files\Mozilla Firefox\xul.dll+c3407d|C:\Program Files\Mozilla Firefox\xul.dll+259ab7|C:\Program Files\Mozilla Firefox\xul.dll+2595e3|C:\Program Files\Mozilla Firefox\xul.dll+105b67f|C:\Program Files\Mozilla Firefox\xul.dll+1896cd9|C:\Program Files\Mozilla Firefox\xul.dll+1895150|C:\Program Files\Mozilla Firefox\xul.dll+c36636|C:\Program Files\Mozilla Firefox\xul.dll+239e6d|C:\Program Files\Mozilla Firefox\xul.dll+209c5a|C:\Program Files\Mozilla Firefox\xul.dll+814471|C:\Program Files\Mozilla Firefox\xul.dll+18702d7|C:\Program Files\Mozilla Firefox\xul.dll+19588c1|C:\Program Files\Mozilla Firefox\xul.dll+1b4492f|C:\Program Files\Mozilla Firefox\xul.dll+183e417 10341000x800000000000000086735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.444{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e7db2c|C:\Program Files\Mozilla Firefox\xul.dll+e80264|C:\Program Files\Mozilla Firefox\xul.dll+c36e71|C:\Program Files\Mozilla Firefox\xul.dll+c3407d|C:\Program Files\Mozilla Firefox\xul.dll+259ab7|C:\Program Files\Mozilla Firefox\xul.dll+2595e3|C:\Program Files\Mozilla Firefox\xul.dll+105b67f|C:\Program Files\Mozilla Firefox\xul.dll+1896cd9|C:\Program Files\Mozilla Firefox\xul.dll+1895150|C:\Program Files\Mozilla Firefox\xul.dll+c36636|C:\Program Files\Mozilla Firefox\xul.dll+239e6d|C:\Program Files\Mozilla Firefox\xul.dll+209c5a|C:\Program Files\Mozilla Firefox\xul.dll+814471|C:\Program Files\Mozilla Firefox\xul.dll+18702d7|C:\Program Files\Mozilla Firefox\xul.dll+19588c1|C:\Program Files\Mozilla Firefox\xul.dll+1b4492f|C:\Program Files\Mozilla Firefox\xul.dll+183e417|C:\Program Files\Mozilla Firefox\xul.dll+1e4f0dd 10341000x800000000000000086734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.444{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.441{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000086732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.439{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.439{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000086730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.439{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.435{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.435{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.435{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.435{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.435{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.434{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.434{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.2.1187722980\1319579522" -childID 1 -isForBrowser -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 20766 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24f2a551-a92e-45d4-9881-5acbe0d8ce7f} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 2488 17937b5b258 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000086722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.433{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.433{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.433{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.433{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.432{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.432{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.432{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.432{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.432{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.431{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.431{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.431{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.431{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.431{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.430{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.430{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.430{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.430{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.430{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.429{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.429{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.429{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.429{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.429{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.429{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.428{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.428{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.428{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000086694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.428{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000086693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.427{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000086692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.426{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x800000000000000086691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.425{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 17141700x800000000000000086690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:24.425{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.2.118772298C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000086689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.299{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\D3DCompiler_47.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Direct3D HLSL CompilerMicrosoft® Windows® Operating SystemMicrosoft Corporationd3dcompiler_47.dllMD5=151EBEB682378C964041D73DA92F3401,SHA256=0EA6F1AB5E005591CA9C095B6B57D1AF35D2879E3DC10659827A8C4DFAB2C7A1,IMPHASH=6FDF9A87126D967D12E1FE5AAD5EEF07trueMicrosoft WindowsValid 11241100x800000000000000086688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.391{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\security_state2023-01-17 10:32:24.391 23542300x800000000000000086687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.391{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\key4.db-journalMD5=333C3CCC7ABEFB1B98E747F7FB8F256D,SHA256=A2A8A9D98840F329B9F06F1E0D9D92D16E94E38A70CEDA0888C2980107A6BA18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\key4.db-journal2023-01-17 10:32:24.376 23542300x800000000000000086685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.376{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\key4.db-journalMD5=39D3C0D02979072C379A4A867BECC0BF,SHA256=4713CDA83F22F58DDCCE3BA2F33FA545E31BC5490B509C16F07E0BA7811CA33E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\key4.db-journal2023-01-17 10:32:24.376 11241100x800000000000000086683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\key4.db2023-01-17 10:32:24.376 23542300x800000000000000086682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.376{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=5FD96B1795DED68132FD2B9613C37CB4,SHA256=18B5B5091F8F8BB1AAA3EA12848D437AC1F1ED40AB08E2399F44896DCBC89BCD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 11241100x800000000000000086680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db2023-01-17 10:32:24.361 734700x800000000000000086679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 11241100x800000000000000086678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\pkcs11.txt2023-01-17 10:32:24.361 734700x800000000000000086677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000086676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 10341000x800000000000000086675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.343{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000086674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.328{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.328{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FAA608996DC7E4893EE26A6708B62C,SHA256=23389740B29E85A8FC4C8452A8AB3E604BE0C36F8AF90D2969DCC3E8A0B3B8C1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.299{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000086671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.299{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 11241100x800000000000000086670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.299{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm2023-01-17 10:32:24.266 11241100x800000000000000086669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.299{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal2023-01-17 10:32:24.266 734700x800000000000000086668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.145{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 23542300x800000000000000086667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.299{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-walMD5=1D34E075373050038BCA2B4D95F4A679,SHA256=06DFF0B6AD1AE4D7CCFF8C4A6EBF22649A518FD1FBD2BAB9A4314DCFE2AE46D3,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.147{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 23542300x800000000000000086665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.281{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=00A61799684E0928A4ECC0F9B8666A09,SHA256=9D9160B5665A2F5321D17B84B1F87BFA3134B2496990B88EFAC4D5A2C09E3A8A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.281{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files2023-01-17 10:32:24.281 11241100x800000000000000086663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.266{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm2023-01-17 10:32:24.266 11241100x800000000000000086662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.266{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal2023-01-17 10:32:24.266 23542300x800000000000000086661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.266{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-journalMD5=99B8510807347AD1BE44562A62137E4F,SHA256=5548F2A9138F36C4C965C947487F38CA31F686CE8A33E8CD49D8E3C950EC97DA,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.108{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MMDevAPI.dll10.0.14393.4169 (rs1_release.210107-1130)MMDevice APIMicrosoft® Windows® Operating SystemMicrosoft CorporationMMDevAPI.DllMD5=CF179D8A655703FDD273891432EBF588,SHA256=722863E48713AEDC9E7EA95C181CAAA389B147BCE51A7E815F0D4189AF92B6E8,IMPHASH=A9DFEC2D392C78A08CC45D2B95165EEAtrueMicrosoft WindowsValid 11241100x800000000000000086659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.266{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-journal2023-01-17 10:32:24.250 23542300x800000000000000086658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.266{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-journalMD5=6172F5545CFA564E5D5E492E3CFF2135,SHA256=6CA3043DF206FF7645621B7A02D86A20152A4CE67D442620732BEF1D6CC6EB03,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.968{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x800000000000000086656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.968{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D92AABEAF72AB2FB3B2E2F911477039E,SHA256=300FEBB1EFE1EECA4F535A828104A8F4AEF8FC4785A0456B2D8DA76E7EDAFC96,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 11241100x800000000000000086655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-journal2023-01-17 10:32:24.250 11241100x800000000000000086654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000086653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 11241100x800000000000000086652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite2023-01-17 10:32:24.250 23542300x800000000000000086651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.250{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=D27082834255E369C9A3777D8E4B3226,SHA256=155EBA91AF571DC89E5512D8B48B0DF32C8282D80B309007ACF2DAF5D23ECAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.250{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=2ADA3608FA6AD8D6AE82C3830A44A6C1,SHA256=A4DD2EB154BD80DA1788233E4A642BF49BD2CEABCAED34AAA29BECE4AB3A506A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.234{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files2023-01-17 10:32:24.234 734700x800000000000000086648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.934{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=85508B678B5852611B112F61858CFC9B,SHA256=88BEBDCCD2532A4D62C4D5EFE475590513BAA7C90C0885FC68DC4451BD06DF8A,IMPHASH=9C1E7CCABDEA296D63CB0D1AF20AD0E3trueMicrosoft WindowsValid 11241100x800000000000000086647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.218{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000086646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.218{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 23542300x800000000000000086645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.218{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journalMD5=F6292F16B1D18ACF9E7A5F53FFD4F41E,SHA256=D0EC51459B08E2D9BDE09C49EEA2DA65DAEC4C91C906C50442EE3FBFCC09D01E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.910{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x800000000000000086643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.108{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x800000000000000086642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.905{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159A,IMPHASH=D9F27AFFC8B05CE56A2B9B9CD5B4C9B5trueMicrosoft WindowsValid 11241100x800000000000000086641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.218{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journal2023-01-17 10:32:24.204 23542300x800000000000000086640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.218{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journalMD5=F0A03926F74C57CB354665B71F4AB6B5,SHA256=98101BF6C9AADE80F2FA98AE79FA4C603EC5358D6A113F9DD2281733828D75FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B482E292C3B14D1823BCBD55DFC002EF,SHA256=674E86C930C4DF73527E9C463D4AB0C9CFF5D70F33317660AAA1C5C193ED89C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.892{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=EBA5708851DB0E74E21AC7882DB69436,SHA256=B3B420E172DA99DB8B5E36302935BB06F545BC768A6FD2BE316EB705C13A7E44,IMPHASH=C4B08B13880C55C99DE6E3BAA38D9893trueMicrosoft WindowsValid 734700x800000000000000086636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x800000000000000086635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 11241100x800000000000000086634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journal2023-01-17 10:32:24.204 734700x800000000000000086633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 11241100x800000000000000086632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite2023-01-17 10:32:24.204 11241100x800000000000000086631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb2023-01-17 10:32:24.204 11241100x800000000000000086630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\.metadata-v2-tmp2023-01-17 10:32:24.187 11241100x800000000000000086629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome2023-01-17 10:32:24.187 11241100x800000000000000086628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent2023-01-17 10:32:24.187 23542300x800000000000000086627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.187{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite-journalMD5=C445B9A59CC9A312697AD72988717CC6,SHA256=FEA52D475F695A840B3B7F02748A50FB9485A07A35F981A2EC33ED6CB909D705,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.840{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Windows.UI.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=D3F324CB3A994CE40D1059E08C8D83C6,SHA256=509339A871B7A42CE5C0307DE3DC1068BCDE461093CA2F2F87C75105FA306955,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 11241100x800000000000000086625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite-journal2023-01-17 10:32:24.124 23542300x800000000000000086624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.172{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite-journalMD5=ED37112A643A82C55A6FBB7A3D04587F,SHA256=8C3421AB26525D11A5B50EB9D9FE17949E4F3E4765CEF52007BF2598BA8E4766,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.172{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite-journal2023-01-17 10:32:24.124 23542300x800000000000000086622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.172{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite-journalMD5=EA861CDB1848D1A835AF95AE11651F16,SHA256=A46ED7DDB21E1E49BB0A85977991CF390D74756A2C1628D04653C2B77BF639BF,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.782{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\ipcclientcerts.dll108.0.2-FirefoxMozilla Foundationipcclientcerts.dllMD5=3585F6C5A5896EAA0769537521210B00,SHA256=BC09C8FB8284B8AF4621A923BDF0BC6F11AD115A2D78449AB7965B333FF0C670,IMPHASH=08E5B218A783076799C91A3BDB511B6BtrueMozilla CorporationValid 734700x800000000000000086620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.766{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 11241100x800000000000000086619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.157{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite-journal2023-01-17 10:32:24.124 23542300x800000000000000086618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.157{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite-journalMD5=97B47120AD34E34FFE17EDACC0CB82FA,SHA256=2205B9F68C0D01FA3FC134D7DFB66DB44EBA3DD1D1B067732994601DE782660D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.751{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 11241100x800000000000000086616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.157{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite-journal2023-01-17 10:32:24.124 23542300x800000000000000086615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.157{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite-journalMD5=56E675B5F63DDA0E405F32232F934378,SHA256=97BB801E43267976169CCDD8112996CA9DB61A899CD029D316C02FCCCD2D66DC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WinTypes.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=66D8DF1956272C96C3C9A27D9CF1E700,SHA256=615CFE128949B501E3828CF8409ED9ED25E9D8CC46FB7689F7A292736EFE0EBA,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x800000000000000086613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.895{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WinTypes.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=66D8DF1956272C96C3C9A27D9CF1E700,SHA256=615CFE128949B501E3828CF8409ED9ED25E9D8CC46FB7689F7A292736EFE0EBA,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x800000000000000086612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.150{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000086611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.150{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000086610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.150{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 11241100x800000000000000086609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.146{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite-journal2023-01-17 10:32:24.124 23542300x800000000000000086608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.145{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite-journalMD5=00C238FC75CAABDA13E66FD63FCBD9E0,SHA256=DC5372C2F36B0FEF8EA4B504006C2A1C5AA3C86F6ED73B43C7F3CCB75B65FAC1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\twinapi.dll10.0.14393.5582 (rs1_release.221130-1719)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=A335F8115F538BD8FEC406D7A4F00227,SHA256=C43F59F15F4E857B77ECFDBABE9BAFCC56705CF2E6AEAC944C91CE13454B292E,IMPHASH=BE2A18E7131BB697F5E7CE37E2AEC582trueMicrosoft WindowsValid 734700x800000000000000086606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.824{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\twinapi.dll10.0.14393.5582 (rs1_release.221130-1719)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=A335F8115F538BD8FEC406D7A4F00227,SHA256=C43F59F15F4E857B77ECFDBABE9BAFCC56705CF2E6AEAC944C91CE13454B292E,IMPHASH=BE2A18E7131BB697F5E7CE37E2AEC582trueMicrosoft WindowsValid 10341000x800000000000000086605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.140{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000086604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.140{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000086603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.140{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000086602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite-journal2023-01-17 10:32:24.124 11241100x800000000000000086601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\ls-archive.sqlite2023-01-17 10:32:24.124 11241100x800000000000000086600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage2023-01-17 10:32:24.124 23542300x800000000000000086599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite-journalMD5=0DD7D9B01DB6C33271598ED3C655870F,SHA256=40062B40ABC29AAE0F15BCDE1D334A457023731917560763CF7F33D45CC7D041,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.5427 (rs1_release.220929-2054)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=042BC1A44912D2421330C30291BC7AA1,SHA256=FBE69152BD0294AC80715FA35B0F8DE59A29DBE9DFC5E5041CB8AA6BB8B790DE,IMPHASH=9A2F821D250C4CEBC0627590331B869DtrueMicrosoft WindowsValid 11241100x800000000000000086597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.tmp2023-01-17 10:32:24.124 11241100x800000000000000086596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB2023-01-17 10:32:24.124 11241100x800000000000000086595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates2023-01-17 10:32:24.124 11241100x800000000000000086594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\times.json2023-01-17 10:32:23.392 11241100x800000000000000086593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite-journal2023-01-17 10:32:24.124 23542300x800000000000000086592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\times.jsonMD5=F68F2C1168792C54C263163276C79733,SHA256=F5EAEC4FBEB135F7EE29D01725F3D8805B9CCEEE8930833BC20EFCB3BDACB147,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite2023-01-17 10:32:24.124 11241100x800000000000000086590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000086589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.124{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.108{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 734700x800000000000000086587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.108{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x800000000000000086586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.5427 (rs1_release.220929-2054)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=398C0C74B6EAB81F28413187CB31C3FC,SHA256=FDC3478B768C9666A82CFA7B5F78EB846F9C466C0FB9A3CE26B3E865A605BBF9,IMPHASH=1278B10B4CD792CEC37AF93D76A387ECtrueMicrosoft WindowsValid 734700x800000000000000086585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.108{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x800000000000000086584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.438{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x800000000000000086583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 734700x800000000000000086582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\nlaapi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=F53A9610394247F1732F28123D3717C0,SHA256=A0E5CEEDD01FBB38B37A9B3B70CD883925AFEB677CECEA55B88800C881EF82A8,IMPHASH=0B7F4620EB804B43452C1AFA5341A2C2trueMicrosoft WindowsValid 734700x800000000000000086581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.818{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\nlaapi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=F53A9610394247F1732F28123D3717C0,SHA256=A0E5CEEDD01FBB38B37A9B3B70CD883925AFEB677CECEA55B88800C881EF82A8,IMPHASH=0B7F4620EB804B43452C1AFA5341A2C2trueMicrosoft WindowsValid 734700x800000000000000086580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686E,IMPHASH=421DFA99869D231800F1E7ABEE7E4DA4trueMicrosoft WindowsValid 734700x800000000000000086579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000086578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000086577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.782{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000086576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000086575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000086574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000086573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000086572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.782{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000086571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.952{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 11241100x800000000000000086570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.077{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000086569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.077{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232B59270ABF05B75046C63694EF8A64,SHA256=1D9903983F7BE9E7E1598CBCDF5E7F6928E8340DEF0191EC024DD78B934A8871,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000086568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000086567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x800000000000000086566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000086565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.735{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000086564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.927{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000086563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.344{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 11241100x800000000000000086562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.030{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionCheckpoints.json.tmp2023-01-17 10:32:24.030 11241100x800000000000000086561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.030{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d2462023-01-17 10:32:24.030 23542300x800000000000000086560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.014{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journalMD5=364D13B4E1B64574272201A81F1425CB,SHA256=5438EE4AD0CAE47658AB6208D4D1D7BAE44C33AD0A02C8FDBAE8D4EFB73EF653,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.999{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journal2023-01-17 10:32:23.983 23542300x800000000000000086558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.999{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journalMD5=68679B7830B2F120451BE663511BA501,SHA256=AB052DC6F3399942E01F9A6A7EEE73F8C79D445AA9001067A3CAA19912D76810,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000086557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.999{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journal2023-01-17 10:32:23.983 23542300x800000000000000086556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.999{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journalMD5=4455031624B9487697F1A169180E87B3,SHA256=31760BEA1011EF4A5DD9CB9D7DD51BDE5AED90F08A5B1217480AECF2ECFEAF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:25.851{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0462EB2290727B00242D8DEDD359CDB,SHA256=A880C6A9CB1E012962515B1C35FDC34B55619DFA154D97C0BE025228B8867712,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.996{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.996{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.996{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.996{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.995{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.995{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.995{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000087507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.988{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 11241100x800000000000000087506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.960{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\63F48F4F7F1BC3195F5AB831F9794F3DBA2D30E12023-01-17 10:32:25.959 23542300x800000000000000087505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.940{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.936{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\fed2f353ce9809922023-01-17 10:32:25.936 11241100x800000000000000087503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.936{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\9c9aa4169e4a5bb12023-01-17 10:32:25.936 11241100x800000000000000087502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.935{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.935{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 23542300x800000000000000087500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.934{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=92E6A0A3809596F6DED2548123885C17,SHA256=22ABB2DC62EDAD20198AD7943EAE2FD2CA40EAD0E53D69E3ED1065689894D076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.931{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=D5BB2463288A294663451B5586747ACB,SHA256=143107DECBB47637D61C7C93AA0E4996EC499D5A4D7267A62EADAD98497C2B43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.897{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm2023-01-17 10:32:25.878 11241100x800000000000000087497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.897{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal2023-01-17 10:32:25.877 23542300x800000000000000087496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.896{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-walMD5=74E215C309D4C994B38E926D3EB1B38E,SHA256=DEBBAEEEC1CE9F4011EF911792C3617C59797E5A9057A02FBA5645FE7D8BD055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.895{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=C5F701F3689279EB39770B0802F57AB8,SHA256=4FB78385A590C283918FDA94EC24AA085D91B3924E9ED22D546C946B09DA26E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.891{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.files2023-01-17 10:32:25.890 734700x800000000000000087493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.877{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42,IMPHASH=F3640F50846C35CCE7151F1E835AE727trueMicrosoft WindowsValid 11241100x800000000000000087492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.883{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 23542300x800000000000000087490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.879{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=7967BB43A452358A86F9E1242C73B7E7,SHA256=95DD79FDF937ECE45CA097D028C07EAA3B955C12154231D4BD9EF5C1857DA009,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm2023-01-17 10:32:25.878 11241100x800000000000000087488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal2023-01-17 10:32:25.877 23542300x800000000000000087487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.877{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-journalMD5=00EB152858D6AE449303BF386627DE13,SHA256=6BBC143705E5E07D7BDA6A1CC30C6119C6FA3D9DAB0DEB085F209CD3D8470C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.877{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=74AD406304C80FC8953491B300B48D5F,SHA256=7893FE15D9CD11679138CBFB098A56A52460AC3428A72D3122DA14D5F47724AF,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.873{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 11241100x800000000000000087484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.870{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-journal2023-01-17 10:32:25.862 11241100x800000000000000087483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.869{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F2023-01-17 10:32:25.869 23542300x800000000000000087482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.869{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-journalMD5=193047B7E31A4303A5A2DA9ABC622447,SHA256=D62FAD6158A897540A5EB90AA13842F24A0C07B91D94E54A0A891565A0854930,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.863{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.863{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 11241100x800000000000000087479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.862{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-journal2023-01-17 10:32:25.862 11241100x800000000000000087478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.862{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite2023-01-17 10:32:25.861 23542300x800000000000000087477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.861{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.859{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.859{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.859{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000087473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.859{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 10341000x800000000000000087471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.858{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.858{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.858{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000087468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.856{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite-journalMD5=E27D4FC8953D77840376DA978C5ABAC8,SHA256=23D11DE838BC06EEF7C60A9DBA37F2EC68DB9C60850111EA4B9DC13F28D958D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.849{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage.sqlite-journal2023-01-17 10:32:24.124 11241100x800000000000000087466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.849{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm2023-01-17 10:32:25.828 11241100x800000000000000087465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.849{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default2023-01-17 10:32:25.848 11241100x800000000000000087464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.848{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal2023-01-17 10:32:25.827 11241100x800000000000000087463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.848{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\temporary2023-01-17 10:32:25.847 23542300x800000000000000087462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.847{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-walMD5=A815AF0E4EFD31DF79B2F2F55F172BAD,SHA256=61870EF741D6793DD7A143F0BB505C3B53CB78AD9C1E3505D2C511AE19812743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.845{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=01F4743DEBDF4FB0B64F7A18FB43A98F,SHA256=D1F8D021BAC047A588432BF887C72C7A70B2D1202BED978FA5A8AA7E0FE6BE0B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.841{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files2023-01-17 10:32:25.841 10341000x800000000000000087459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.831{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.829{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm2023-01-17 10:32:25.828 11241100x800000000000000087457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.828{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal2023-01-17 10:32:25.827 23542300x800000000000000087456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.828{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.827{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-journalMD5=813C72379614BFA82D3FB8C7DEAB6365,SHA256=96CA4BFDD1A2A27C367631B0DECCF664939DC96E4C7CB9A03FF1359F9B58C6BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.824{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.824{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 23542300x800000000000000087452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.823{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=AC6CDD202D2E401592885D34439F77D3,SHA256=78955D008DDF58AABEA88AE8E63C4E42836694387B606C3BE9941E13D7FC6674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.822{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B5474662CD586FC30E1744EC99C89765,SHA256=86DCCF26124BD1D37BACDF0B17DC8E25F0DED90C21A430198AB6B5B1D27B6995,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.821{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-journal2023-01-17 10:32:25.809 23542300x800000000000000087449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.820{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-journalMD5=F00297553CB344E48E10C04B29985AA7,SHA256=39B1CBA36D762263C512C06474D22F76AE8DA09E8B0BDF74007FF44D8B98B242,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-journal2023-01-17 10:32:25.809 11241100x800000000000000087447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.808{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 11241100x800000000000000087445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.808{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite2023-01-17 10:32:25.808 23542300x800000000000000087444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.807{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.805{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F2F965333060B0D4CCAB3A60041A95C0AFFF4CD2023-01-17 10:32:25.805 11241100x800000000000000087442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.805{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D8350122944640F3BA129AA87FCFAF93EDCFC6CB2023-01-17 10:32:25.804 11241100x800000000000000087441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.804{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.804{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 11241100x800000000000000087439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.803{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7EF4591F0C61F5763884CBDB66E6B376BF5B880B2023-01-17 10:32:25.803 11241100x800000000000000087438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.802{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4E9C753547C24D2B8C72ADEA96ED2C3BFFF1D9682023-01-17 10:32:25.802 11241100x800000000000000087437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.801{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D6F6E849ECE00589410A5592D2F1D3AB152FAD822023-01-17 10:32:25.801 11241100x800000000000000087436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.801{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\133BA7433E70D01A860D4F2682F34095B122FF422023-01-17 10:32:25.800 11241100x800000000000000087435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.799{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\221A9A4E256E9E0B9EBF295FCB49862AC3F98D592023-01-17 10:32:25.798 11241100x800000000000000087434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.798{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000087433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.798{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.798{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DF0CDE23AA0F44779E78EFEDFBAED16DB1B4DF402023-01-17 10:32:25.798 734700x800000000000000087431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.798{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 11241100x800000000000000087430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.797{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EA1E3132006CB34CB9058E6891C35B731B9C4D9B2023-01-17 10:32:25.797 734700x800000000000000087429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.797{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 11241100x800000000000000087428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.797{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E371865DFFBFA79611A389D7F3FCB1B9880F530C2023-01-17 10:32:25.796 11241100x800000000000000087427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 11241100x800000000000000087426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6DEA9BD73EE6BFE5EE1ED79B233C90FEDF9606D62023-01-17 10:32:25.795 11241100x800000000000000087425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.795{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\673FCCBE6E6CE6AA4FDFD397239D773EFDDCD5A72023-01-17 10:32:25.794 11241100x800000000000000087424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.771{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\44230749A38B6989F56217B435A03E84CCADE62D2023-01-17 10:32:25.771 23542300x800000000000000087423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.765{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\content-prefs.sqlite-journalMD5=9E9BFED5655DCFDBFC772970E6D66D3C,SHA256=3D1A0E0BF2157195516EEF0493E864F717F094FADDD38ADE980BC2CC0BA7FDEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.755{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49485-false52.33.94.40ec2-52-33-94-40.us-west-2.compute.amazonaws.com443https 354300x800000000000000087421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.708{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52420- 354300x800000000000000087420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.706{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52475- 354300x800000000000000087419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.700{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63359- 11241100x800000000000000087418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.757{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\thumbnails2023-01-17 10:32:25.757 23542300x800000000000000087417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.742{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.730{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000087415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.729{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 11241100x800000000000000087414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.717{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\startup_shaders2023-01-17 10:32:25.568 11241100x800000000000000087413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.717{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000087412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.716{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A3F155AFF536FE1AD936A37D254268,SHA256=F8CC4641F5836C2F05D992370BDD8C61C2424B9A8DAA8DCB23BCCD0385732072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.716{F172AD64-7937-63C6-6602-00000000B002}6688ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\startup_shadersMD5=D9EFA02E512EDA0A61EFABA12C20DA95,SHA256=E1907E28B2FD21685AA1FD1D3921DB98692B92ED215B7C743BE8EE0E5CF0919B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.702{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.702{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 23542300x800000000000000087408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.702{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=1B40CD8D73FFC6F5C1EF7F022DB17123,SHA256=CE05776942DAF352DA458A3948895F828D7EF7A4CB30420D072542F8D449C79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.701{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=A34198464F427CC03A7EBB179EB27128,SHA256=048C23BCCECB15817137CE544A6263AB697F14562C835CB338A5770041960EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.697{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=11E4F0F870A99F9BD847D78E0742C184,SHA256=701A35E90A91C7B4E31541DD0BE9B1FF0F654FB3BEAD4B502E9B2B0128697905,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.675{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 11241100x800000000000000087404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.673{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2023-01-17 10:32:25.652 11241100x800000000000000087403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.673{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2023-01-17 10:32:25.652 23542300x800000000000000087402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.671{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=8303B3EE4B967FD8506F60831015EAC9,SHA256=2DA7ACDC17B34AD59EF5AC5074DD4DB4BE02F8708AAF4AD3F5E5859C1607DB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.668{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7AFFF4D706889C19E8C1AB11DC74BFAE,SHA256=92ACBE0B8D81EFCCC888194AF10AE2301F76C3869239E540C45FA36531192F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.664{F172AD64-7938-63C6-6802-00000000B002}5400ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41MD5=D910AD167F0217587501FDCDB33CC544,SHA256=E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.664{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files2023-01-17 10:32:25.663 11241100x800000000000000087398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.656{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\content-prefs.sqlite-journal2023-01-17 10:32:25.656 11241100x800000000000000087397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.652{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2023-01-17 10:32:25.652 11241100x800000000000000087396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.652{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2023-01-17 10:32:25.652 23542300x800000000000000087395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.651{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-journalMD5=2162D74B110D5363F16203A36011CBD2,SHA256=46B0F56FEAB6D739F4591ACB04C9FF53932C15DA4DFF540F7A2241D33F4D00CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.646{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-journal2023-01-17 10:32:25.639 23542300x800000000000000087393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.645{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-journalMD5=F1B45909F4016E7D5FE1A6F6347C7D6C,SHA256=D6606E1B5A8571ABB67F5E6D695957616B009D9367A6519D561695EBB2475081,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.641{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.641{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing\google42023-01-17 10:32:25.641 11241100x800000000000000087390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.640{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000087389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.639{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.639{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-journal2023-01-17 10:32:25.639 11241100x800000000000000087387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.638{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 11241100x800000000000000087386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.638{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite2023-01-17 10:32:25.638 18141800x800000000000000087385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:25.618{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000087384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:25.618{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-3C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000087383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\content-prefs.sqlite2023-01-17 10:32:25.609 10341000x800000000000000087382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.599{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.598{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.594{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000087379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.592{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000087378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.591{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000087377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.589{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000087376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.588{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.588{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.587{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000087373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.586{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 22542200x800000000000000087372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.889{F172AD64-7935-63C6-6402-00000000B002}2296cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000087371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.887{F172AD64-7935-63C6-6402-00000000B002}2296cs9.wac.phicdn.net072.21.91.29;C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000087369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000087368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000087367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000087366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 11241100x800000000000000087365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\bookmarkbackups2023-01-17 10:32:25.568 734700x800000000000000087364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000087363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000087362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 11241100x800000000000000087361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000087360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 11241100x800000000000000087358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\startup_shaders2023-01-17 10:32:25.568 11241100x800000000000000087357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000087356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.568{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C927EC269CB4AFD881F15194F14E1E,SHA256=E5AB955DE546F17A5C4EAA1BAA496D556B04B99F955B7AC2FA905F63219E764D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.553{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.553{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000087353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.553{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000087352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:25.553{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.5197788256770956129C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000087351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:25.553{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.5197788256770956129C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.553{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000087349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.553{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:25.553{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.5.78473191C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000087347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.553{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:25.553{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000087344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000087343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000087342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000087341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000087340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000087339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000087338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000087337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000087336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000087335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000087334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000087333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000087332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000087331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000087330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000087329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000087328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000087327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000087326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000087325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000087324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000087322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000087321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 11241100x800000000000000087320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionCheckpoints.json.tmp2023-01-17 10:32:24.030 11241100x800000000000000087319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing2023-01-17 10:32:25.538 734700x800000000000000087318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.538{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000087317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000087316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000087315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000087314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000087313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000087312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000087311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000087310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000087309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e7db2c|C:\Program Files\Mozilla Firefox\xul.dll+e80264|C:\Program Files\Mozilla Firefox\xul.dll+c36e71|C:\Program Files\Mozilla Firefox\xul.dll+c3407d|C:\Program Files\Mozilla Firefox\xul.dll+259ab7|C:\Program Files\Mozilla Firefox\xul.dll+2595e3|C:\Program Files\Mozilla Firefox\xul.dll+105b67f|C:\Program Files\Mozilla Firefox\xul.dll+1896cd9|C:\Program Files\Mozilla Firefox\xul.dll+1895150|C:\Program Files\Mozilla Firefox\xul.dll+c36636|C:\Program Files\Mozilla Firefox\xul.dll+240641|C:\Program Files\Mozilla Firefox\xul.dll+cf3efe|C:\Program Files\Mozilla Firefox\xul.dll+1884dfb|C:\Program Files\Mozilla Firefox\xul.dll+1839c21|C:\Program Files\Mozilla Firefox\xul.dll+1ce604a|C:\Program Files\Mozilla Firefox\xul.dll+1e42f11|C:\Program Files\Mozilla Firefox\xul.dll+183a008|C:\Program Files\Mozilla Firefox\xul.dll+1ce604a 734700x800000000000000087308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000087306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.525{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.5.784731911\437290370" -childID 4 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 23339 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3113d6dd-eac7-4da9-a52a-ff6a0f468d5c} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 3956 17926574758 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000087298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.522{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.521{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.521{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.521{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.521{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.521{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.521{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.520{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000087272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:25.519{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.5.78473191C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.481{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000087270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.481{F172AD64-7939-63C6-6B02-00000000B002}41886184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.481{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000087268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.481{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000087267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.454{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000087266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.454{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECDEA8590E80CC632A6D7416C728F46,SHA256=1EFB1B0E06A9B16571CDFEDB955BEE1736A4E48214F75AD28E3DCE048D0FEBE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.450{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\4dee581185be67712023-01-17 10:32:25.450 23542300x800000000000000087264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.437{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-050MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.436{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0502023-01-17 10:32:25.436 11241100x800000000000000087262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.435{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0512023-01-17 10:32:25.435 11241100x800000000000000087261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.415{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000087260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.414{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B0D356066BC68E6072C8D51DDE9945,SHA256=92A722E1094AC12FCDC066831AE2FA34BEE45273237B96E686D98FE038556687,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.414{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\places.sqlite-shm2023-01-17 10:32:25.414 11241100x800000000000000087258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.414{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\places.sqlite-wal2023-01-17 10:32:25.414 11241100x800000000000000087257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.413{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-shm2023-01-17 10:32:25.385 11241100x800000000000000087256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.413{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 11241100x800000000000000087255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.413{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-wal2023-01-17 10:32:25.385 23542300x800000000000000087254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.412{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E742D0A0C158F9A4E9D21F84902E5CBB,SHA256=50B3B5BC63A143624F1EF4E352C44DE6153DC528784BAD62A5355E10A235DC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.412{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-walMD5=29DB1287F639472CA6F7EB43C21CF03C,SHA256=3312828F5B91C8DE66C6ED6E4703D37646898BF820006369D6CF90643FD15728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.400{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-shmMD5=12DB504AA8E157D2815C255DF08812D6,SHA256=3C9BC793DC68C6A649A338BAC51B73AE0408FC22F042B23FFC7BF49C836B5FEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-shm2023-01-17 10:32:25.385 11241100x800000000000000087250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-wal2023-01-17 10:32:25.385 23542300x800000000000000087249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-journalMD5=5CF2BE3FAA48A595633820F9D194BA62,SHA256=B4F8F22FEDB04C822999429EC497DE88A648113C0E0B2EABE912CE17F183D54B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\3b97b7c452901c6c2023-01-17 10:32:25.385 11241100x800000000000000087247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\8ffba0d711d14ed12023-01-17 10:32:25.385 11241100x800000000000000087246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\1ae1d6f0e02d246d2023-01-17 10:32:25.385 11241100x800000000000000087245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\996c49c1a646d7072023-01-17 10:32:25.385 11241100x800000000000000087244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\a3087d0f9769b4ff2023-01-17 10:32:25.385 11241100x800000000000000087243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\3e45c6d541ed5a592023-01-17 10:32:25.385 11241100x800000000000000087242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\7b0b3e201fec3a202023-01-17 10:32:25.385 11241100x800000000000000087241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\b01a0304ea7560e2023-01-17 10:32:25.385 11241100x800000000000000087240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-journal2023-01-17 10:32:25.369 23542300x800000000000000087239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.385{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-journalMD5=6A89C294831EB5B68D7CAC8834E2CE77,SHA256=154D7C1C7B4B44F93156CEE29E8D4CDB054326D59E4674226585FD6414EC1731,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.369{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite-journal2023-01-17 10:32:25.369 11241100x800000000000000087237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.369{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\favicons.sqlite2023-01-17 10:32:25.369 23542300x800000000000000087236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.369{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\places.sqlite-journalMD5=CB1D19A843C54ABAFD4742381D0CEDF7,SHA256=DA7216BCCEAD8294A348F5DB72915D2F1E8F50604E94773104EC18F7041AA8F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.369{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\places.sqlite-journal2023-01-17 10:32:25.369 11241100x800000000000000087234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.369{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\places.sqlite2023-01-17 10:32:25.369 734700x800000000000000087233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.333{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000087232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.332{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000087231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.332{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000087230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.331{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000087229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.329{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000087228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.329{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000087227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.328{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000087226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.328{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000087225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.322{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000087224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.321{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000087223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.321{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000087222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.321{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000087221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.320{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000087220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.320{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000087219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.320{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000087218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.320{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.320{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000087216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.320{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000087215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000087214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000087213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000087212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000087211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000087210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000087209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000087208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000087207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000087206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.319{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000087205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.318{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000087204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.318{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000087203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.318{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000087202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.318{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000087201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.318{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000087200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.318{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000087199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.318{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000087198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.317{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.316{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000087196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.316{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000087195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.316{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000087194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.316{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.316{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000087192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.315{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.315{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.299{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.299{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.299{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.169{F172AD64-7939-63C6-6B02-00000000B002}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000087186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.284{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\state.json.tmp2023-01-17 10:32:25.284 11241100x800000000000000087185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.284{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting2023-01-17 10:32:25.284 11241100x800000000000000087184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\431484CF38F5986C6980273AB79B7AD0E04C586B2023-01-17 10:32:25.268 11241100x800000000000000087183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\addonStartup.json.lz4.tmp2023-01-17 10:32:25.268 354300x800000000000000087182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:23.329{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49484-false10.0.1.12-8000- 354300x800000000000000087181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.560{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49483-false127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49482- 354300x800000000000000087180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:22.560{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49483-false127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49482- 354300x800000000000000087179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:21.086{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49481-false72.21.91.29-80http 11241100x800000000000000087178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.217{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000087177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.216{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.216{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 11241100x800000000000000087175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.177{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\49492D63EA94DEC74D8F7B5C8609BCC2D1B07E242023-01-17 10:32:25.177 10341000x800000000000000087174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.170{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000087173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.170{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000087172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.170{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000087171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.169{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000087170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.169{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000087169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.169{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000087168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.137{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.137{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 11241100x800000000000000087166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.122{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D23F7952044A1A6016B80DED46FC563716A295DF2023-01-17 10:32:25.122 23542300x800000000000000087165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.121{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=4A68E62B6622A0D65BA2D944F727872C,SHA256=0B7D5AFFE1F34BC19D43D2EA5E805C3E76E0CAE298FDF1858D6A2634E5F3933C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.109{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 11241100x800000000000000087163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.079{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000087162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.079{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.078{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 734700x800000000000000087160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.034{F172AD64-7938-63C6-6802-00000000B002}5400C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavcodec.dll108.0.2-FirefoxMozilla Foundationmozavcodec.dllMD5=BB22E492883A2EFEA58A6BA3B1289BF2,SHA256=955B98683873AD963157C49A9DAF8BF38BF7FF3A9698803A09D0807603146037,IMPHASH=353D225220D21B28EC6954E0D9F8F6D7trueMozilla CorporationValid 10341000x800000000000000087159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.042{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.042{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.042{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.041{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.041{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000087154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.041{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000087153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.040{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\avrt.dll10.0.14393.2969 (rs1_release.190503-1820)Multimedia Realtime RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationavrt.dllMD5=8EC9E2490A9FFA637115F758B22FFF78,SHA256=1A3295CBF09E9367CCE68505D949D724FB9B66B4516770B7D594273C3BCFC5B8,IMPHASH=F266C00A61E480BB0A81B1A89DB30014trueMicrosoft WindowsValid 11241100x800000000000000087152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-412023-01-17 10:32:25.036 11241100x800000000000000087151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\mozilla-temp-files2023-01-17 10:32:25.035 734700x800000000000000087150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.036{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000087149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.034{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 23542300x800000000000000087148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.028{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=042E1F1876058AB7225B271738F82C9E,SHA256=7CD1990102B9C904117CD69DF864E32AF52B1AA2D21FD3EDEA3932A01B72C0FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.028{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\addons.json.tmp2023-01-17 10:32:25.027 11241100x800000000000000087146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.026{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\extensions.json.tmp2023-01-17 10:32:25.026 23542300x800000000000000087145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.023{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.021{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=78DA58DF85F86CA61E5EAFB9EF0A83BE,SHA256=3216205F5C355D582EC4B902651B62E1FF3EFFDCA40BC849D474F13F1325E962,IMPHASH=2E671B0A6A313B7E8765124B944DA4FEtrueMicrosoft WindowsValid 11241100x800000000000000087143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.020{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.020{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 23542300x800000000000000087141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.018{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=8D027B7C6AD8CB18EC11F89FBB95BBA0,SHA256=12704D6B386182449E3B9A6387FC7DF4DD7B1547DDD86315CC936E32DE920EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.017{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=54675D999A033D382528B1139CB1B87B,SHA256=027C40EFA1EDB7D8D79F261765E92A263F7A1A3BEE3DD6E6DDE7375C38902448,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.013{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 10341000x800000000000000087138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.009{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.008{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.000{F172AD64-7634-63C6-B901-00000000B002}490092C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.998{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 11241100x800000000000000088187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.965{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2275F9569F28969C8FC69F9660A75ADD1F8B963B2023-01-17 10:32:26.965 11241100x800000000000000088186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.953{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0AD79752D6C610960D3973ECFAFCBEDAB20F20272023-01-17 10:32:26.953 11241100x800000000000000088185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.914{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.914{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554498431FC937EFA832CCF555A175B8,SHA256=26AE8EDB2EC6C4C884D26DE8DA0B958FCA5A794F332A2D2B8BC235962A3F0E38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.913{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.913{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.913{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.913{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.913{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.912{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000088177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.898{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FF63A96CB0EE05C4E8600CAFADA617EBA0BAB35D2023-01-17 10:32:26.897 734700x800000000000000088176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.878{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000088175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.853{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000088174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.877{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 11241100x800000000000000088173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.875{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000088172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.875{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 23542300x800000000000000088171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.875{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822F8B6A3E39D72EA1839A1BECDB6FB2,SHA256=D45123D9577F232F61A17DA73DB4AA3DEFB8DF1A4B08B850563B4E602728318A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000088170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.870{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000088169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.866{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000088168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.865{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000088167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.863{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 11241100x800000000000000088166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.857{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.857{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0477BAFD69D1694696965E5FCD653844,SHA256=54B4D99FB6EB9CEE0CE08931F8AE7B702CFF32DCF12D4DEEDCB69148AA5E8C98,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000088164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.853{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000088163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.852{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000088162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.851{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000088161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.851{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000088160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.851{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000088159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.850{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000088158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.850{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000088157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.849{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000088156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.849{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000088155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.849{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000088154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.849{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000088153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.849{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000088152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.849{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 354300x800000000000000068959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:25.105{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50338-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000088151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.849{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000088150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.848{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000088149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.848{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000088148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.848{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000088147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.847{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000088146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.847{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000088145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.846{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000088144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.846{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000088143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.845{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 11241100x800000000000000088142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.845{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CDA62003B1B987A64F1FAC75D1484DBFF94F08FB2023-01-17 10:32:26.845 734700x800000000000000088141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.845{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000088140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.845{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000088139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.844{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000088138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.844{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000088137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.843{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.843{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000088135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.842{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.840{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000088133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.840{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000088132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.838{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.838{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.835{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.835{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.835{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.834{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000088126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.831{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.831{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.653{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000088123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.785{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl.tmp2023-01-17 10:32:26.785 11241100x800000000000000088122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.784{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D32023-01-17 10:32:26.784 354300x800000000000000088121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.880{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49493-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000088120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.788{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49491-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000088119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.785{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49492-false108.156.183.192server-108-156-183-192.cmh68.r.cloudfront.net443https 354300x800000000000000088118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.784{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51865- 354300x800000000000000088117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.784{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64758- 354300x800000000000000088116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.775{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52369- 354300x800000000000000088115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.765{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64140- 354300x800000000000000088114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.765{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62439- 354300x800000000000000088113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.765{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53949- 354300x800000000000000088112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.721{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49490-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000088111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.709{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61732- 354300x800000000000000088110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.707{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51970- 11241100x800000000000000088109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.739{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FD2E3D64B320BB4E3B9EB43B80D036132555472C2023-01-17 10:32:26.739 23542300x800000000000000088108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.738{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\pending_pings\3d051242-8d32-409f-b372-839e1a10cc45MD5=1507675B657DAAC2975F707F94F639CB,SHA256=2E0B179D5163AD54C1D25892DDC4BC8DE30C3683F3A713B260F4868DFBF3CE37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.707{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.707{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.707{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.706{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.706{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.706{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000088101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.690{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C23082023-01-17 10:32:26.689 10341000x800000000000000088100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.663{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.663{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.663{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.662{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.662{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.662{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000088094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\settings\main\ms-language-packs\browser\newtab2023-01-17 10:32:26.654 11241100x800000000000000088093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\settings\main\ms-language-packs\browser2023-01-17 10:32:26.653 11241100x800000000000000088092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.653{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\settings\main\ms-language-packs2023-01-17 10:32:26.653 11241100x800000000000000088091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.653{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\settings\main2023-01-17 10:32:26.653 11241100x800000000000000088090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.653{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\settings2023-01-17 10:32:26.653 11241100x800000000000000088089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.652{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA846104952023-01-17 10:32:26.650 11241100x800000000000000088088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000088087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.630{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.629{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 22542200x800000000000000088085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.022{F172AD64-7935-63C6-6402-00000000B002}2296prod-classifyclient.normandy.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.960{F172AD64-7935-63C6-6402-00000000B002}2296prod-classifyclient.normandy.prod.cloudops.mozgcp.net034.98.75.36;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.951{F172AD64-7935-63C6-6402-00000000B002}2296accounts.firefox.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.950{F172AD64-7935-63C6-6402-00000000B002}2296accounts.firefox.com052.42.219.49;52.11.189.12;35.160.102.233;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.949{F172AD64-7935-63C6-6402-00000000B002}2296accounts.firefox.com0::ffff:35.160.102.233;::ffff:52.42.219.49;::ffff:52.11.189.12;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.935{F172AD64-7935-63C6-6402-00000000B002}2296prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.934{F172AD64-7935-63C6-6402-00000000B002}2296prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.658{F172AD64-7935-63C6-6402-00000000B002}2296www.mozorg.moz.works9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.656{F172AD64-7935-63C6-6402-00000000B002}2296www.mozorg.moz.works0108.156.183.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.648{F172AD64-7935-63C6-6402-00000000B002}2296detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.639{F172AD64-7935-63C6-6402-00000000B002}2296example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.638{F172AD64-7935-63C6-6402-00000000B002}2296example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.583{F172AD64-7935-63C6-6402-00000000B002}2296prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.582{F172AD64-7935-63C6-6402-00000000B002}2296prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.581{F172AD64-7935-63C6-6402-00000000B002}2296detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.192{F172AD64-7935-63C6-6402-00000000B002}2296prod.content-signature-chains.prod.webservices.mozgcp.net02600:1901:0:92a9::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.190{F172AD64-7935-63C6-6402-00000000B002}2296prod.content-signature-chains.prod.webservices.mozgcp.net034.160.144.191;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.085{F172AD64-7935-63C6-6402-00000000B002}2296a1887.dscq.akamai.net02600:141f:4000:9::17ca:5a0e;2600:141f:4000:9::17ca:5a04;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.084{F172AD64-7935-63C6-6402-00000000B002}2296a1887.dscq.akamai.net023.64.114.213;23.64.114.220;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.083{F172AD64-7935-63C6-6402-00000000B002}2296r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:23.64.114.220;::ffff:23.64.114.213;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000088065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.587{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\pending_pings\c60128ef-a7d1-46bb-ae15-6e407abac39cMD5=EC73288438E162446F158FD20B9BB88D,SHA256=96F45BC3AACD18ECA104F51EB84E26ED20E0498920B0E87D3FF9AF1B55106CFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\144D6CEFCF006F995CDB9FC264C20054CE1D5B562023-01-17 10:32:26.586 734700x800000000000000088063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.523{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000088062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.522{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000088061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.518{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.516{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000088059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.513{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\026554CFCA74568F33E9E8C292E1C12C9F1AE8842023-01-17 10:32:26.512 734700x800000000000000088058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.510{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000088057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.508{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000088056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.507{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000088055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.504{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000088054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.503{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.503{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.503{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000088051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.501{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000088050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.499{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000088049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.498{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000088048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.498{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000088047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.497{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000088046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.497{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000088045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.492{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-6C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000088044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.492{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-6C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.490{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000088042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.489{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000088041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.489{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000088040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.473{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.472{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000088038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.471{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000088037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.470{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 18141800x800000000000000088036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.470{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.11806385193368790416C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000088035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.470{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.11806385193368790416C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000088034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.469{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.469{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.8.142827402C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000088032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.465{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.465{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.452{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000088029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.451{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000088028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.450{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000088027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.450{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000088026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.450{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000088025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.449{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000088024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.449{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 23542300x800000000000000088023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.447{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\pending_pings\180b9a15-ecd2-4772-898b-3432a7a1fd19MD5=A28158CF46542D12A9CADC2E5AAB1B0B,SHA256=1574588192CB40FD9BE53ADF768BBF542C36F7299B241A8DA12E30AFB72541A1,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000088022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.446{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000088021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.446{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000088020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.440{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 11241100x800000000000000088019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.446{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\89C9B59023C6004C5FCA8E641B2BD533BAA7F06E2023-01-17 10:32:26.445 734700x800000000000000088018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.445{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 11241100x800000000000000088017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B46CAF72DA74ADBC6615E10BB2D52387D27F84922023-01-17 10:32:26.445 734700x800000000000000088016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.444{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000088015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.443{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000088014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.442{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000088013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.442{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000088012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.442{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000088011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.441{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000088010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.440{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000088009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.440{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000088008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.438{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000088007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.437{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000088006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.437{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000088005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.436{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.436{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x800000000000000088003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.436{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000088002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.434{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000088001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.434{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000088000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.432{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000087999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.432{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000087998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.431{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000087997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.430{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000087996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.430{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000087995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.429{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000087994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.428{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000087993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.426{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 10341000x800000000000000087992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.426{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.426{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.425{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.425{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.424{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000087987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.424{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.423{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.422{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000087984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.421{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.420{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.419{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.420{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.8.1428274022\1829660026" -childID 7 -isForBrowser -prefsHandle 4788 -prefMapHandle 4628 -prefsLen 29674 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f077e8d2-ab4c-490c-81a7-34dce632fd7e} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 4860 1793d72a858 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000087980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.418{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.418{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.418{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.418{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.418{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.417{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.417{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.417{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.417{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.417{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.416{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.416{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.416{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.416{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.416{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.415{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.415{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.415{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.415{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.415{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.414{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.414{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.414{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.414{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.413{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.413{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000087954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.410{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.8.142827402C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.390{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\taskschd.dll10.0.14393.4651 (rs1_release.210911-1554)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=5FE3004A4C13FBC1B67CA879BB23800B,SHA256=120A7B49788154395D02C920D9F699EC944784C5162D9CDF8AFD8C927A26B1D1,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 734700x800000000000000087952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.401{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000087951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000087950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.399{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000087949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.398{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000087948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.394{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.394{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DC37C57CCDC8D60AA866BE38CD73F9DF3A92714C2023-01-17 10:32:26.394 10341000x800000000000000087946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.393{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.389{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000087944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.388{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429857ECC2DAC09AA0C0E176C3412A81,SHA256=7FFE0DAF12EDF5669E27208E169BCD3166F2D02C7B719AA0E2D3796441C1D206,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.388{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000087942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.388{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000087941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.387{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000087940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.385{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000087939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.384{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 10341000x800000000000000087938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.382{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.381{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.381{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000087935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.379{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.379{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.378{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 11241100x800000000000000087932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.377{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000087931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.376{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.376{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000087929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.376{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 11241100x800000000000000087928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.tmp2023-01-17 10:32:24.124 11241100x800000000000000087927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.375{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 734700x800000000000000087926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.374{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 18141800x800000000000000087925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.374{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-5C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000087924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.374{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-5C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.374{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 18141800x800000000000000087922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.373{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000087921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.373{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-4C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.373{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000087919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.373{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000087918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.372{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000087917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.371{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000087916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.370{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000087915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.370{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000087914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.369{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.369{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.368{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000087911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.366{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000087910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.363{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000087909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.363{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000087908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.363{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000087907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.363{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000087906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.363{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000087905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.362{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000087904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.362{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000087903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.362{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000087902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.352{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000087901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.351{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000087900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.349{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000087899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.348{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.346{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000087897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.345{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000087896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.344{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 18141800x800000000000000087895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.344{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.4655962698911662366C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000087894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.344{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.4655962698911662366C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000087893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.343{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.343{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.7.128833795C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000087891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.339{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.339{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000087889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.334{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.333{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000087887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.333{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000087886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.332{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000087885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.332{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000087884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.331{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000087883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.331{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000087882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.330{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 18141800x800000000000000087881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.330{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.17517184707298471590C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000087880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.330{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.17517184707298471590C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.330{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000087878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.330{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000087877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.330{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x800000000000000087876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.329{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.329{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.6.29116221C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.329{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000087873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.328{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000087872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.328{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000087871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.327{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 23542300x800000000000000087870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.327{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=E676BA1BA1D08DDD89EA706280978CC7,SHA256=5BBE00AA71567DF393CEE4B88AD19DEEE4E99D7CD6FEF42EB471F5133D62FFAB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.326{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 11241100x800000000000000087868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.325{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.325{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=FDE8071EC717B18D3957FD1CEEFA1B5E,SHA256=B144070D71C5C496FC14972D23906F385BC593D0FEF4F9283042FA55A89A6FFE,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.325{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000087865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.324{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000087864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.324{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000087863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.324{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000087862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.323{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000087861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.323{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 10341000x800000000000000087860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.322{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000087859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:26.322{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000087858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.321{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000087857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.318{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000087856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.318{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000087855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.317{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.317{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000087853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.316{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000087852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.316{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000087851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.315{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000087850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.315{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000087849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.315{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000087848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.315{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000087847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.314{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000087846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.314{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000087845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.314{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000087844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.313{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000087843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.313{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000087842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.312{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000087841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.312{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 11241100x800000000000000087840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.312{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 734700x800000000000000087839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.312{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 10341000x800000000000000087838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.312{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.312{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000087836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.311{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000087835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.311{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000087834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.311{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.311{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 11241100x800000000000000087832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.310{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\66B74AA167026A3DCC4BA7064E8D6E229DE9D8062023-01-17 10:32:26.310 734700x800000000000000087831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.310{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000087830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.310{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000087829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.309{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000087828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.309{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000087827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.308{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000087826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.308{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000087825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.308{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000087824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.307{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000087823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.307{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000087822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.307{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000087821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.307{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000087820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.306{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.306{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000087818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.306{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.305{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.305{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000087815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.304{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000087814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.304{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000087813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.303{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.303{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000087811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.301{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000087810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.301{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x800000000000000087809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.301{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.301{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.300{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.300{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.299{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000087804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.299{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000087803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.298{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x800000000000000087802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.298{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd48f|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.298{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.7.1288337957\259663195" -childID 6 -isForBrowser -prefsHandle 4268 -prefMapHandle 3828 -prefsLen 29314 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c790551e-212b-4c8b-8be4-0cf269cad722} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 4408 1793d442958 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000087800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.298{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000087799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.297{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000087798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.297{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.297{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.297{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\tmp\3d051242-8d32-409f-b372-839e1a10cc452023-01-17 10:32:26.297 10341000x800000000000000087795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.297{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.297{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.297{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000087792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.296{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.296{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.296{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 10341000x800000000000000087789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.296{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.296{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=E053757DFC117F975D4B62FDFBE724CD,SHA256=E677DA0808EA0F4BD279F9290C69AB24F6E8F6B26398DA7A23F09659AC65B3F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.296{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.296{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 10341000x800000000000000087785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.295{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.295{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.295{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000087782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.295{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.295{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.295{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.294{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.294{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.294{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.294{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.294{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.294{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.293{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.293{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.293{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 10341000x800000000000000087770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.293{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.293{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.293{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 23542300x800000000000000087767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.293{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=565DC87D9F691FBF7435BB6D9758F1CE,SHA256=B3DBB99F53ED0FBA805BE6D98521D2903ACBFB85368A0E49BDAA6008BC6ABA00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.293{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.292{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.292{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.292{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000087762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.291{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000087761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.290{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.290{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.290{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000087758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.289{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.289{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.289{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.288{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=1DA28FC5D0C92B26537627F3E12ECCCC,SHA256=5D839774476452578871D632831AEE92F33DA0952CEF4DA28F66545B5D6F6A3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.288{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.288{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.288{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.6.291162217\256865248" -childID 5 -isForBrowser -prefsHandle 4360 -prefMapHandle 4324 -prefsLen 29314 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf5a95f-d67e-4318-bd93-c3c169ac0157} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 4372 1793d442358 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 11241100x800000000000000087751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2897D147DDFC3B1AC15675BB43AA7096EB4912772023-01-17 10:32:26.287 10341000x800000000000000087750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.287{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.286{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.286{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=F6700B626230B3299D53477BD5FC5F5E,SHA256=AE14E2C2852908F7EA169FD75A9904B165F58A4C36A586662AB41ADDC4F78296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.286{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.286{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.286{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.285{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.285{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 10341000x800000000000000087742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.285{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.285{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.284{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=00DEA3545A36D845B3B625E4F37A90D0,SHA256=3AD1E8913EA00C4A45E2AE5CECB9ECA6E3078DFA8DCD1065396E9481D4891F49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.284{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.284{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\handlers.json.tmp2023-01-17 10:32:26.283 10341000x800000000000000087737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.284{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.283{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.283{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.283{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.283{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 10341000x800000000000000087732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.283{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.283{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.283{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=8B979A5DBD443E44F0F2AB453B572AEE,SHA256=85FC347603C85425031B6140DB2A6239297E5ABBDF1F0C6DAD3F0410A6EB1835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.282{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.282{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.282{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shield-preference-experiments.json.tmp2023-01-17 10:32:26.281 10341000x800000000000000087726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.282{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.281{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.281{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 10341000x800000000000000087723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.281{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.281{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.281{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.281{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=6C8DD3271A5B04D4128FFCBF5B6B2E6F,SHA256=278FA13291263A5234C35DC669C21E792C695791B5A81F99AF90E7B20DA4CEA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.280{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.280{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.280{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.280{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000087715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.280{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.7.128833795C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000087714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.279{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.279{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\extensions.json.tmp2023-01-17 10:32:25.026 11241100x800000000000000087712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.279{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.279{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=D80A267ECEE80C923F1DD340745D5C29,SHA256=B89EBCB331820A4F05386046061F72A7576EF7F57ABBBC242B9A2E4246F39821,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.277{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 11241100x800000000000000087709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.277{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\extension-preferences.json.tmp2023-01-17 10:32:26.277 23542300x800000000000000087708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.277{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=46CCCBCDCB2864D78CE8B3362C6EFFE3,SHA256=72CFEE21434E33B900F8B96D90D2FC42D6E85EE737FB9987C970B14EE8AFAEE6,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000087707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:26.276{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.6.29116221C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000087706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.276{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.276{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=1EC8F7B17E4F0A7354978B72A4087FCD,SHA256=6549963AF278DF3101E99468CBC460DE96185263CCC80F1B52156B9378ABD0B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.275{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.274{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=544644D67D60A36FC0AD84C578222D91,SHA256=03461420A0CC4FCCE5CFD41DF7311BF3E7F50964A7AC86F032C7EDD51292D289,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.272{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=A4743FE94102AF218A05F04F9B20BEC9,SHA256=CF6DCAE266A08A894BABCB26A1DDF7BC1976A7E57F87F2C585DD0D82F7A7A601,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.271{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.271{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=4169B8F69121C9512D1DAB360302F5A6,SHA256=9AFE11F999EE0C2E8984C180EC02898381B6BE8552BEF5EAC949EAE875338CFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.269{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=A88BA4031A91A12B39D4943D3364563F,SHA256=AB1BDC62E77D5727D8F1DE45EE0E21B6F2F35932C1E48731A0886B0E3CD22638,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 11241100x800000000000000087695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D6B0ADD0DAEA00708CBB4290B85CCA0E0FA790612023-01-17 10:32:26.268 23542300x800000000000000087694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.267{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=FAEB5C013D259B08726857071FD52AC4,SHA256=74F8EB6BEE47062B15D457A6EC300C9BFF753D005975E25EF684A497E47FDBA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.266{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.266{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=7996E27049F9AD5637FAA00357C57B91,SHA256=2E595C776461063AA185A1793966FAF3E58E069C33BB66E352135DA8C307F5C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.265{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.265{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=52D8836AAAD8C8249F73B2F3BE389506,SHA256=7CDE815B162410079541E40594A89F073F6B0BDEA29ED9C39386E650599415A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.263{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 354300x800000000000000087688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.342{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62112- 354300x800000000000000087687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.341{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54446- 354300x800000000000000087686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.330{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49489-false34.160.144.191191.144.160.34.bc.googleusercontent.com443https 23542300x800000000000000087685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.262{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=6CE3DB8C3A176FEF37D21D1C22288528,SHA256=9CEFD409730AE7E7D99B05E4557E553A16D602B7523BEF77B3BE9D9F669A3186,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.318{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50262- 354300x800000000000000087683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.315{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50225- 354300x800000000000000087682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.220{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49488-false23.64.114.220a23-64-114-220.deploy.static.akamaitechnologies.com80http 354300x800000000000000087681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.211{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53177- 354300x800000000000000087680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.197{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63793- 354300x800000000000000087679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.167{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49487-false35.241.9.150150.9.241.35.bc.googleusercontent.com443https 354300x800000000000000087678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.147{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64779- 354300x800000000000000087677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.146{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62247- 11241100x800000000000000087676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.259{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.258{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=B806A627246352423BAF16D0B946370A,SHA256=F9696DEE32FF0C9D4596CC6245982FAB5CA26D7F3422E31ECDBC1457A932B28A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.255{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\tmp\c60128ef-a7d1-46bb-ae15-6e407abac39c2023-01-17 10:32:26.254 11241100x800000000000000087673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.254{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.254{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=C512089F31F80C05E6519E4F3118E952,SHA256=82652434E96F36CB77DA1FA30E4B39631C706D9583701D6F3223DEF4F0E730A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.252{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.252{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=17AA735BD364D4D2AAFFCD0BE85FB9E7,SHA256=D8DB4947AA0A81022DDA90F4B6FAC1523249524F1F1E2EF2C343714B3C0E6D16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.251{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.250{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=9FB33A32787F8EA85F7C317597C60DDD,SHA256=07791090C90CBD568AFCF616349C613D2FDAFBB7413473764A70BDF3A2897543,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.248{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.248{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=F2654F3DB198DAB226EAFB653435550B,SHA256=485879F62995DF3D71669BB17880849D651E4265E77B4647A3EB8334399F6CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.248{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite-journalMD5=66DCAAAD21B0EB573AF4BEA0092A3176,SHA256=9912DEC52A454BC9F7C2BBF3688A972953464048AA0F5474EA015163BCC9C187,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.247{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AA70DA0EA77AF599D16F76E79A98272BA138060D2023-01-17 10:32:26.246 11241100x800000000000000087663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.247{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 11241100x800000000000000087662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.246{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\99D01D160AC7ADE6301F3559541FEF1A6F6155F02023-01-17 10:32:26.246 23542300x800000000000000087661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.246{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=8F2A067BCBE4F2873B47D1D898036F52,SHA256=0B03C6D124B28A8AA9FFFE3546CC80EE07C5791CB943C475049F78841EFC8A54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.244{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.244{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=AD6E51A100CC49104D4C1CF85D58B8DC,SHA256=CFD754E70F3F8561B00E141DC6F0AD395CE781263CE3C181FD487BD3881D44DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.242{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.242{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=F14A30627BF0AB6A189E29EC8A462477,SHA256=545F35E52DA94B9945E15A9913DFD1C68552B8B1C67F79F7925CBCE1692E3E94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite-journal2023-01-17 10:32:26.231 11241100x800000000000000087655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.240{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=638AD580F28789E85C6DC9A827DB4A3C,SHA256=7D6AEF57CAC0BBF3FD1E834C50408C3970404A78AA33F618F5861F45B694DF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.239{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite-journalMD5=3B29A0CB0031E459448824F771FCAC9F,SHA256=856D0E6AF00E2986FCD544F6D91B52B6F0CC8DD931667839555CC28A412E744B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.237{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.236{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=AA72A5B8C20096292D3C8A7E566DCDF5,SHA256=3E61247E00F18692B6DB62DE41E1039F1AD2767A6774B05F628E349763F53B8E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.235{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.233{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=186D3A3A658400DF321925076B081530,SHA256=069AE8AEDAE7D56E4C64A4FF2EEA98A5106B74FC587069DF24359EEAB7218E0F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.233{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 11241100x800000000000000087647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.231{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite-journal2023-01-17 10:32:26.231 10341000x800000000000000087646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.231{F172AD64-7939-63C6-6D02-00000000B002}6060932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.230{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 11241100x800000000000000087644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.229{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.229{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 734700x800000000000000087642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.227{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000087641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.223{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\events\events2023-01-17 10:32:26.223 11241100x800000000000000087640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.222{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\events\background-update2023-01-17 10:32:26.222 11241100x800000000000000087639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.222{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.222{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=1EA5C350883F5506C12DD5CED14E58C8,SHA256=49D48E9E0A11C402C5E6FD59B6C6678195364A46020AC07478BC45EE236CCFC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.220{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.220{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=038916C6934D760E878CBCFF39E184AF,SHA256=D0762059FBEE9EC8A4428DFA4431DD133E1C48B36A56E5BC00279E11F17E0F69,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.217{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\68AEF87DA146A4D0BEDDD3ED665C866724B456482023-01-17 10:32:26.217 11241100x800000000000000087634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.216{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\tmp\180b9a15-ecd2-4772-898b-3432a7a1fd192023-01-17 10:32:26.216 23542300x800000000000000087633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.216{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.216{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\tmp2023-01-17 10:32:26.215 11241100x800000000000000087631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.215{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\90E321EE94230DCDBDCD2EC0B77C695A4FC21F782023-01-17 10:32:26.215 11241100x800000000000000087630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.215{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\pending_pings2023-01-17 10:32:26.215 11241100x800000000000000087629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.215{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.214{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=A24C0A3F45DDA58375601E35C3A69475,SHA256=02F98E9A7B04CB3F805B219262AF18009E8330315A04AE4750418BE35178E28E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.213{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.213{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=B69A4705A594AB999D4D336C8FE93891,SHA256=1AF400EB54AEFDF6EE1DD4670FB0463C33BD40AF844606723B6DF3CE6843C225,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.212{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.211{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=65CBCCC78A7FB2446CAA4E3C5C1C33E1,SHA256=94E55B712EA3A1467C6C7FAD9FECA83B1EEFE3E0EA7C29E10FFE8C7B5ED0E137,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.210{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.210{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=65CBCCC78A7FB2446CAA4E3C5C1C33E1,SHA256=94E55B712EA3A1467C6C7FAD9FECA83B1EEFE3E0EA7C29E10FFE8C7B5ED0E137,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.209{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 11241100x800000000000000087620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.208{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite2023-01-17 10:32:26.208 23542300x800000000000000087619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.208{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=EBF8B7C69880C33FF29C9BBFBC4C533A,SHA256=CDDCECFE81D7028CFBA767EFB53748D8C3B979270FFB07CDD971B279B4F894BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.206{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.206{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=293795F0E44030DBE3FF8F660F148003,SHA256=1F8A4ED1492E5D26F8E44EA6E7648B4FC820E512FF543CB77BCDCF81F6F5AD18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.203{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.203{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=FBFCC25D328F19DDB9F7546686C0211D,SHA256=0A3F833E2DE2DE928DFBB8A1D43B5B27AF7315D1472BD0D0F47C899F8CDD4E74,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.192{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.191{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=D7363D71E0645D2433559A4712239487,SHA256=516EE65131A17FCFFE2023D55F4FF034A16DE9786677AF36DAFAB2CA6C37474D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.190{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.190{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=7EB06976A67ACD42D6DB8AF5602BFEC4,SHA256=D5F3B98B1F70E83D94F0660CA5BD25A77C71B8D4426EE9CC2F4E318E884D6A06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.188{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.188{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=F77D51BA6AA0AAC3E74F132914A18188,SHA256=130A21F4FB38913AB01143B30317DAEA7559393013CEF3514D2C37EF6CBEB130,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 11241100x800000000000000087606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 23542300x800000000000000087605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.186{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=D017C36B0E51011F6B4B8D60F36EB5E4,SHA256=D4E3136EA3C72C32B651C93556509F4B8FE5E9B88B24CA6D578E1657673949AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.185{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=D3E9418E01D6976F33A14E628E384C45,SHA256=92FC8622B0E79F4B9C6BEA525937C936734F7B516B387BED3AC4F2E4C980D919,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.185{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.184{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=9CEFAE905B67BF6CF378680C6D9D90DD,SHA256=58ECE26B19EFBE94606C5303342944E1A027A65194F6470B29B3570A9B036D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.182{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=FDD36D7379A11646F2DC17DE94802821,SHA256=7718547D1FFDF5F4D056A7490D1FF4876DD70CE53D3481054754FD09FB241630,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.182{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.181{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=2DC619C7466559838D33B9C6E3807977,SHA256=3CFF80B40B63AFFB3B89F176EB8CD8A9EA8B21816E42F1324A8CFC19EEBBE0A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.180{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\260B15B53F19456829D7A4913A4FCB5EEEAAD6B82023-01-17 10:32:26.180 11241100x800000000000000087597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.180{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.179{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=38E1146B753BDEC7B2C00E29E71199D7,SHA256=D48E98E709B88168E11DC1291E1909E7E9A0513E87D79BC5E6C0B4985F69C7F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.177{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=C25F4087487A3CF3A39E04711801C222,SHA256=10628ACABBB43E4724AB039877B609BC903F98D0B00BA26EA2709625F6322A72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.176{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000087592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.176{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=436FCEACE09FCD9D75ECD57ECC44F7F4,SHA256=E9257B47B8CC3C1E18E6149BC463D7722F8B3147E6873E1FBCAF3B074F92F31A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.175{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 11241100x800000000000000087590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.174{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db2023-01-17 10:32:26.174 11241100x800000000000000087589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.174{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\events2023-01-17 10:32:26.173 11241100x800000000000000087588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.173{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean2023-01-17 10:32:26.173 11241100x800000000000000087587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.160{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000087586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.159{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 11241100x800000000000000087584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.157{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A4E08A77C470661236FD6A450F7ED7980A871B792023-01-17 10:32:26.156 734700x800000000000000087583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.155{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 11241100x800000000000000087582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.154{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B8DB5289EFF0A466C21F47412A322A36CEB50442023-01-17 10:32:26.154 734700x800000000000000087581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.154{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D92AABEAF72AB2FB3B2E2F911477039E,SHA256=300FEBB1EFE1EECA4F535A828104A8F4AEF8FC4785A0456B2D8DA76E7EDAFC96,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 11241100x800000000000000087580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.144{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\252CE8AC445A184A1F4A1C6C6D4ADB8AE41B77762023-01-17 10:32:26.143 11241100x800000000000000087579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.143{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\22F59957B7E08CD6CCFED6AF2A1DF26FE157DF402023-01-17 10:32:26.142 11241100x800000000000000087578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.141{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000087577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.140{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356150F200A39EE6FC482148C408820E,SHA256=9B348CD88D81376518A287BCBD9CF11CFC3585F6D2B0FFDCC34D123164C1BA86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3C9B2D192D535C347CDA9FB12BFC88FD40CF03822023-01-17 10:32:26.123 11241100x800000000000000087575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.119{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:32:24.218 11241100x800000000000000087574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.119{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:32:24.218 11241100x800000000000000087573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.119{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\109D080055C1548CE320A422FD98DA1D5E1A5BC82023-01-17 10:32:26.119 11241100x800000000000000087572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.118{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D8EF12DD3F5A0B350AEDF5A0EBB7935D12C12CE32023-01-17 10:32:26.118 11241100x800000000000000087571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.118{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\58FA4C93D2C2293EB9F0554BA83740A06674316F2023-01-17 10:32:26.117 11241100x800000000000000087570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.117{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7DB3359FF1AE28D679D8DE03A74F2C06BC18D50B2023-01-17 10:32:26.117 11241100x800000000000000087569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.116{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6762E24BB9F66A6430B9C774503510453B4EBA212023-01-17 10:32:26.116 11241100x800000000000000087568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.115{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5B87F2070DD7E272DE2597FBF03E77ECD3A054AB2023-01-17 10:32:26.115 11241100x800000000000000087567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.114{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F8D5B76A1EF679D7E128B67E60239325BF22714D2023-01-17 10:32:26.114 11241100x800000000000000087566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.114{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A8743ACDA513FF27A72604EA39BAAE662138F0B92023-01-17 10:32:26.113 11241100x800000000000000087565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.109{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000087564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.108{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000087563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.106{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 10341000x800000000000000087562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.103{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000087561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.051{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\2d5f6a6cfc9591252023-01-17 10:32:26.050 734700x800000000000000087560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.019{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000087559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.019{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000087558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.018{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000087557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.017{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000087556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.016{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000087555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.015{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000087554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.015{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000087553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.014{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 354300x800000000000000087552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.085{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49486-false72.21.91.29-80http 354300x800000000000000087551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.015{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55998- 354300x800000000000000087550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.015{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61098- 734700x800000000000000087549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.006{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000087548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.006{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000087547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.005{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000087546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.005{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000087545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.004{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000087544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.004{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 11241100x800000000000000087543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.004{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000087542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.004{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x800000000000000087541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.004{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=7AEA50B136CED5F4A924393480390FAE,SHA256=F95EA44EC614AB86198C076DA997E88D06CDA460A35991A8C263E865FB3C8B72,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.004{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000087539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.003{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000087538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.003{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000087537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.002{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000087536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.002{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 23542300x800000000000000087535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.002{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DCCD97AB1AF674BECC508FC977D905,SHA256=498B3384DC9F471FC52B5BDDBE38D898AC570E498C145B3E05E6BFE3A7CF4EBA,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000087534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.002{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.002{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000087532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.002{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000087531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.001{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000087530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.001{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000087529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.001{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000087528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.001{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000087527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.001{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000087526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.001{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000087525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.001{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000087524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.000{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000087523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.000{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000087522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.000{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000087521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.000{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000087520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.000{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000087519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.999{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000087518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.998{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000087517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.997{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000087516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.996{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000087515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.996{F172AD64-7939-63C6-6D02-00000000B002}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000088309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.997{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000088308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.876{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\targeting.snapshot.json.tmp2023-01-17 10:32:27.876 354300x800000000000000088307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.841{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49515-false34.111.73.144144.73.111.34.bc.googleusercontent.com443https 354300x800000000000000088306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.830{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61354- 354300x800000000000000088305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.829{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51797- 354300x800000000000000088304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.770{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49514-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49513-false35.241.9.150150.9.241.35.bc.googleusercontent.com443https 354300x800000000000000088302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.656{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49512-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 11241100x800000000000000088301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.704{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 23542300x800000000000000088300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.704{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.704{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:23.824 22542200x800000000000000088298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.918{F172AD64-7935-63C6-6402-00000000B002}2296r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;23.64.114.220;23.64.114.213;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.247{F172AD64-7935-63C6-6402-00000000B002}2296prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.246{F172AD64-7935-63C6-6402-00000000B002}2296prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000088295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.566{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.566{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A793F9340ECE9F97AA692B08CA1F3CF1,SHA256=412A005DB914B59D140F0D7619D811C094F47B4639FC3E623014E42DB3017DC9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.550{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:32:27.550 11241100x800000000000000088292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.550{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups2023-01-17 10:32:27.550 354300x800000000000000088291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.596{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49511-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.537{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49510-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49509-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000088288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.470{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49508-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49507-false34.160.144.191191.144.160.34.bc.googleusercontent.com443https 11241100x800000000000000088286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.350{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-email-track-digest256.vlpset2023-01-17 10:32:27.350 11241100x800000000000000088285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.350{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-email-track-digest256.sbstore2023-01-17 10:32:27.350 11241100x800000000000000088284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.350{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-email-track-digest256.vlpset2023-01-17 10:32:27.350 11241100x800000000000000088283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.350{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-email-track-digest256.sbstore2023-01-17 10:32:27.350 11241100x800000000000000088282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.350{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpset2023-01-17 10:32:27.350 11241100x800000000000000088281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.334{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstore2023-01-17 10:32:27.334 11241100x800000000000000088280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.334{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpset2023-01-17 10:32:27.334 11241100x800000000000000088279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.334{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstore2023-01-17 10:32:27.334 11241100x800000000000000088278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.334{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpset2023-01-17 10:32:27.334 11241100x800000000000000088277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.334{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstore2023-01-17 10:32:27.334 11241100x800000000000000088276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.334{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpset2023-01-17 10:32:27.334 11241100x800000000000000088275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.319{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstore2023-01-17 10:32:27.319 11241100x800000000000000088274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.319{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpset2023-01-17 10:32:27.319 11241100x800000000000000088273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.319{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstore2023-01-17 10:32:27.319 11241100x800000000000000088272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.304{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpset2023-01-17 10:32:27.304 11241100x800000000000000088271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.304{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\containers.json.tmp2023-01-17 10:32:27.304 11241100x800000000000000088270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.288{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstore2023-01-17 10:32:27.288 11241100x800000000000000088269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.271{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset2023-01-17 10:32:27.271 11241100x800000000000000088268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.267{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore2023-01-17 10:32:27.267 354300x800000000000000088267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.386{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49506-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x800000000000000088266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.377{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49505-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.373{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63470- 354300x800000000000000088264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.371{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65053- 354300x800000000000000088263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.371{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local54544- 354300x800000000000000088262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.368{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local61104- 354300x800000000000000088261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.368{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local62119- 354300x800000000000000088260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.368{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local54467- 354300x800000000000000088259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.367{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local52301- 354300x800000000000000088258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.345{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63143- 354300x800000000000000088257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.345{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61106- 354300x800000000000000088256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.344{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54544- 354300x800000000000000088255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.344{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61791- 354300x800000000000000088254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.344{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61105- 354300x800000000000000088253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.343{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61104- 354300x800000000000000088252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.343{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62119- 354300x800000000000000088251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.342{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54467- 354300x800000000000000088250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.342{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52301- 354300x800000000000000088249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.279{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49504-false23.64.114.220a23-64-114-220.deploy.static.akamaitechnologies.com80http 354300x800000000000000088248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.237{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49503-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.228{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50064- 354300x800000000000000088246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.180{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local52137- 354300x800000000000000088245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.155{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52137- 354300x800000000000000088244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.149{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local61098-false127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domain 23542300x800000000000000068960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:27.053{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B6B8EB2FEBC65908563008D8AC01DE,SHA256=EEFC791894DB59AC668C6B398DFDA7D28ADCFA65DB2A878960D0A40F077F39A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.259{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-track-digest256.vlpset2023-01-17 10:32:27.255 11241100x800000000000000088242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.255{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-track-digest256.sbstore2023-01-17 10:32:27.255 11241100x800000000000000088241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.253{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\analytics-track-digest256.vlpset2023-01-17 10:32:27.253 11241100x800000000000000088240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\analytics-track-digest256.sbstore2023-01-17 10:32:27.250 11241100x800000000000000088239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.248{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-track-digest256.vlpset2023-01-17 10:32:27.248 11241100x800000000000000088238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.245{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-track-digest256.sbstore2023-01-17 10:32:27.245 11241100x800000000000000088237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.242{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\ads-track-digest256.vlpset2023-01-17 10:32:27.242 10341000x800000000000000088236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.240{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.240{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.240{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000088233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.238{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\ads-track-digest256.sbstore2023-01-17 10:32:27.238 10341000x800000000000000088232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.237{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.237{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.237{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.235{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.235{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.235{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000088226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.219{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpset2023-01-17 10:32:27.219 11241100x800000000000000088225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.219{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstore2023-01-17 10:32:27.219 11241100x800000000000000088224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.219{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google42023-01-17 10:32:27.219 11241100x800000000000000088223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.219{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating2023-01-17 10:32:27.219 11241100x800000000000000088222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\addonStartup.json.lz4.tmp2023-01-17 10:32:25.268 11241100x800000000000000088221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.160{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\ExperimentStoreData.json.tmp2023-01-17 10:32:27.160 11241100x800000000000000088220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.072{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\search.json.mozlz4.tmp2023-01-17 10:32:27.072 734700x800000000000000088219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.071{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000088218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.069{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000088217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.068{F172AD64-793A-63C6-7102-00000000B002}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000088216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.019{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000088215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.019{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7E51FAE54830EBA255A31D2B944A662,SHA256=A401F2D88D0103EFF605F567C05C4A2EFBB3DE61BB0F2ABB28176861191F5830,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.127{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49500-false35.160.102.233ec2-35-160-102-233.us-west-2.compute.amazonaws.com443https 354300x800000000000000088213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.122{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49499-false35.155.77.83ec2-35-155-77-83.us-west-2.compute.amazonaws.com443https 354300x800000000000000088212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.114{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local61098- 354300x800000000000000088211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.113{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9810:e209:8b:ffff-61098-true7f00:1:4100:4300:2000:4c00:6100:7900-53domain 354300x800000000000000088210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.104{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49502-false72.21.91.29-80http 354300x800000000000000088209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.102{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49501-false34.98.75.3636.75.98.34.bc.googleusercontent.com443https 354300x800000000000000088208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.095{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64075- 354300x800000000000000088207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.087{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52705- 354300x800000000000000088206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.086{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62213- 354300x800000000000000088205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.078{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54061- 354300x800000000000000088204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.077{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49161- 354300x800000000000000088203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.072{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53275- 354300x800000000000000088202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.069{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49497-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000088201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.069{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49498-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000088200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.068{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61240- 354300x800000000000000088199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.068{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54788- 354300x800000000000000088198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.065{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49496-false72.21.91.29-80http 354300x800000000000000088197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.062{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54325- 354300x800000000000000088196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.056{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64582- 354300x800000000000000088195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.053{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52931- 354300x800000000000000088194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.022{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49495-false35.201.103.2121.103.201.35.bc.googleusercontent.com443https 354300x800000000000000088193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.010{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63392- 354300x800000000000000088192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.995{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49509- 354300x800000000000000088191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49494-false54.148.94.254ec2-54-148-94-254.us-west-2.compute.amazonaws.com443https 354300x800000000000000088190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.896{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52459- 354300x800000000000000088189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.895{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50487- 354300x800000000000000088188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:24.892{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65091- 23542300x800000000000000088367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.986{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=073DE8E6774831277C393A0773EAB76D,SHA256=8982556A2AF4C7805CA28772C9FAFB15C0266BDD6465C7524B89EEC59EE232C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.964{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 23542300x800000000000000088365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.964{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=192CCFBE9033CBC7DBD600FF916981C6,SHA256=861F6F43445E9AFBD167F7BD3830AC90F23C5FB56BDD2358359A60E9DA63C206,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.948{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 11241100x800000000000000088363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.704{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\startupCache\webext.sc.lz4.tmp2023-01-17 10:32:28.704 23542300x800000000000000088362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.704{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite-journalMD5=2C4336AF833FDE439890B2340DB4A755,SHA256=E388B0F596CD2CC953C97DDFB99DAED23D550A3FC9EB070436056F1CCB46A1F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.688{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite-journal2023-01-17 10:32:28.665 23542300x800000000000000088360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.688{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite-journalMD5=3300BB287A13FCBD676C4F0BA92CE4F1,SHA256=8D2141FA539C0F8197B097C64062DC33CAAE7403A413A61F1031CE85256EE2B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.687{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.687{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27831B798FE15DA0D095204954111C4,SHA256=2CFE03F18FDC383175836906748A65FE2E2DC475C9C0CA1815C5018D5962AEAB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.685{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.684{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43296E285A7250125118AAD6FF1B6BD1,SHA256=05BB082A5BA05FE3C1DFB40766AA78846E8237417BAA901AF3E6719D7BDC515A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.665{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite-journal2023-01-17 10:32:28.665 11241100x800000000000000088354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.665{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite2023-01-17 10:32:28.665 354300x800000000000000088353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49525-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.261{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49524-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.198{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49523-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 23542300x800000000000000068961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:28.144{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E501E4A89475B7E83BF25B3BB5DFC5,SHA256=C06B24E09C81F9141F45658C0FA5B0DDB0377ECC24313B862B96BE5FAB6058E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.255{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.255{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.254{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.253{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.253{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.253{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.252{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.252{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.252{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000088341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.147{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.144{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.139{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.137{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.136{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.130{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.127{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.125{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.123{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.118{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.109{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.105{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.099{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.092{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.084{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.057{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.048{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.042{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.035{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000088322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.143{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49522-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.084{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49521-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.056{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49520-false23.64.114.220a23-64-114-220.deploy.static.akamaitechnologies.com80http 354300x800000000000000088319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.046{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61684- 354300x800000000000000088318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.012{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49519-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000088317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.011{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49518-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000088316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.007{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49517-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 354300x800000000000000088315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.000{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51229- 354300x800000000000000088314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.999{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64854- 354300x800000000000000088313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.996{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62849- 354300x800000000000000088312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:25.925{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49516-false34.120.158.3737.158.120.34.bc.googleusercontent.com443https 10341000x800000000000000088311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.028{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.999{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000088377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:29.584{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F2023-01-17 10:32:29.584 11241100x800000000000000088376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:29.583{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\039090029E64BC91E87E77199A6A6BE11FC39B6F2023-01-17 10:32:29.583 11241100x800000000000000088375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:29.343{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:29.343{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0685536D937B452E318DD842CFA16DE3,SHA256=C237298A35B91FC482517B97E32291EF9AC27F12A2F628B7F65BC08FF578262B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.369{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local62506- 354300x800000000000000088372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.369{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local64329- 354300x800000000000000088371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.369{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local49648- 354300x800000000000000088370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.346{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64329- 354300x800000000000000088369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.345{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62506- 354300x800000000000000088368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:26.344{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49648- 23542300x800000000000000068962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:29.347{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594CC82C303120971C4BDE8AD544B8C8,SHA256=CA11958B2A3248E57C9876DAAA649B8B52B89B7D76605FC590A1B15BE14F3AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:30.437{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC89B58904F36CFCF5E17121C043CBA8,SHA256=BFCEBDF1819E471F5AF7DAAFCFFB424C7E527D8DBF18CD0C161479A271ED0B37,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.866{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.866{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22585A85118BA19B4DBDC91511C54986,SHA256=018CC1830942F87D09E6531A6FBFBBA2BC65A7DDA7566973ED6223230D2ABDF2,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000088428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.848{F172AD64-7935-63C6-6402-00000000B002}2296e14801.x.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.847{F172AD64-7935-63C6-6402-00000000B002}2296e14801.x.akamaiedge.net023.32.229.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.846{F172AD64-7935-63C6-6402-00000000B002}2296www.homedepot.com0type: 5 www.homedepot.com.edgekey.net;type: 5 e14801.x.akamaiedge.net;::ffff:23.32.229.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.845{F172AD64-7935-63C6-6402-00000000B002}2296www.google.com02607:f8b0:4009:80a::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.844{F172AD64-7935-63C6-6402-00000000B002}2296www.google.com0142.250.190.68;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.844{F172AD64-7935-63C6-6402-00000000B002}2296twitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.844{F172AD64-7935-63C6-6402-00000000B002}2296reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.843{F172AD64-7935-63C6-6402-00000000B002}2296twitter.com0104.244.42.129;104.244.42.65;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.842{F172AD64-7935-63C6-6402-00000000B002}2296reddit.map.fastly.net0151.101.145.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.842{F172AD64-7935-63C6-6402-00000000B002}2296twitter.com0::ffff:104.244.42.65;::ffff:104.244.42.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.842{F172AD64-7935-63C6-6402-00000000B002}2296www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:151.101.145.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.841{F172AD64-7935-63C6-6402-00000000B002}2296dyna.wikimedia.org02620:0:861:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.840{F172AD64-7935-63C6-6402-00000000B002}2296star-mini.c10r.facebook.com02a03:2880:f103:83:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.840{F172AD64-7935-63C6-6402-00000000B002}2296dyna.wikimedia.org0208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.840{F172AD64-7935-63C6-6402-00000000B002}2296www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.839{F172AD64-7935-63C6-6402-00000000B002}2296star-mini.c10r.facebook.com031.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.839{F172AD64-7935-63C6-6402-00000000B002}2296www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:31.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.838{F172AD64-7935-63C6-6402-00000000B002}2296d3ag4hukkh62yn.cloudfront.net02600:9000:24f7:dc00:7:49a5:5fd2:2221;2600:9000:24f7:9200:7:49a5:5fd2:2221;2600:9000:24f7:5a00:7:49a5:5fd2:2221;2600:9000:24f7:2200:7:49a5:5fd2:2221;2600:9000:24f7:7a00:7:49a5:5fd2:2221;2600:9000:24f7:1e00:7:49a5:5fd2:2221;2600:9000:24f7:a400:7:49a5:5fd2:2221;2600:9000:24f7:5600:7:49a5:5fd2:2221;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.838{F172AD64-7935-63C6-6402-00000000B002}2296youtube-ui.l.google.com02607:f8b0:4009:819::200e;2607:f8b0:4009:81a::200e;2607:f8b0:4009:817::200e;2607:f8b0:4009:818::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.837{F172AD64-7935-63C6-6402-00000000B002}2296d3ag4hukkh62yn.cloudfront.net0108.156.164.230;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.837{F172AD64-7935-63C6-6402-00000000B002}2296youtube-ui.l.google.com0172.217.1.110;172.217.2.46;172.217.4.46;172.217.4.78;142.250.191.110;142.250.191.142;142.250.191.174;142.250.191.206;142.250.191.238;142.251.32.14;142.250.190.14;142.250.190.46;142.250.190.78;142.250.190.110;142.250.190.142;172.217.0.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.837{F172AD64-7935-63C6-6402-00000000B002}2296www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 d3ag4hukkh62yn.cloudfront.net;::ffff:108.156.164.230;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.836{F172AD64-7935-63C6-6402-00000000B002}2296www.google.com0::ffff:142.250.190.68;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.836{F172AD64-7935-63C6-6402-00000000B002}2296www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:172.217.0.174;::ffff:172.217.1.110;::ffff:172.217.2.46;::ffff:172.217.4.46;::ffff:172.217.4.78;::ffff:142.250.191.110;::ffff:142.250.191.142;::ffff:142.250.191.174;::ffff:142.250.191.206;::ffff:142.250.191.238;::ffff:142.251.32.14;::ffff:142.250.190.14;::ffff:142.250.190.46;::ffff:142.250.190.78;::ffff:142.250.190.110;::ffff:142.250.190.142;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000088404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.527{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.526{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000088402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.328{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49529-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000088401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.265{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61104-false142.250.190.68ord37s34-in-f4.1e100.net443https 10341000x800000000000000088400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.197{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.194{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.187{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.175{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000088396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49528-false142.250.190.68ord37s34-in-f4.1e100.net443https 354300x800000000000000088395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.050{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49527-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000088394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.033{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61453- 354300x800000000000000088393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.031{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54982- 354300x800000000000000088392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.983{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49526-false142.250.190.68ord37s34-in-f4.1e100.net443https 354300x800000000000000088391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.974{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52687- 354300x800000000000000088390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.972{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65468- 354300x800000000000000088389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.971{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54257- 354300x800000000000000088388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.970{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50524- 354300x800000000000000088387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.970{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54522- 354300x800000000000000088386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.969{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61496- 354300x800000000000000088385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.967{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51927- 354300x800000000000000088384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.966{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54434- 354300x800000000000000088383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.966{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54150- 354300x800000000000000088382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.965{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63976- 354300x800000000000000088381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.963{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64031- 354300x800000000000000088380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.963{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51219- 354300x800000000000000088379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.963{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52275- 354300x800000000000000088378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:27.963{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55334- 354300x800000000000000068965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:30.244{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50339-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000068964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:31.568{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55E8E80B0365EF3809A47C442FE622C,SHA256=7143A15E40E2717C011BB454D3BE0AA4CD385442634E5E60800A0499D054003B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.426{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.426{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D413B04E5A010B584FF0D03BEE9650,SHA256=6DD22B092F12C19555610F0A1073387780B0DD9183B5B588D03D58AA29AFBFD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:28.372{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53445- 10341000x800000000000000088464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.198{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.195{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.193{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.191{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.188{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.185{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.178{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.177{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.162{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.156{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.155{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.154{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.152{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.149{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.148{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.148{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.146{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.130{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.120{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.118{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000088444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.100{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x800000000000000088443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.100{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.077{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.070{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.058{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.053{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.052{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.049{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.047{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.045{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.042{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.041{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.039{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000088431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:31.038{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000068966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:32.777{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D57DA608C1E87C0B52693D03B53786B,SHA256=3C0FF070B160C2974F1FCB2CAFC5AE9211B677DACA7311823E1D39FB17AAAEAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:32.364{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:32.364{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE01578118676B52F6B3EA88A13E25D3,SHA256=F9F7846C74C8B4B11791F53AA507926CB38EB95A93EA52C94E6C5309DCEE9D36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:29.299{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49530-false10.0.1.12-8000- 23542300x800000000000000088499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.932{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\pending_pings\f8a0d961-261c-49aa-bda9-ba1fb9317582MD5=5E9A265C315C1747897B5767C2360EBF,SHA256=6F2223E41DB7027603D492E7192B590CC8A54967393F198D6004EC0423A84A11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.932{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9CAAD975AB579BE2FA1DDB657EAFE18B30922E7D2023-01-17 10:32:33.932 11241100x800000000000000088497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.912{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F96A1A8368D3C3DD1FA81D170326E6C1C65D342F2023-01-17 10:32:33.912 11241100x800000000000000088496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.841{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\8784dde47bf19ddd2023-01-17 10:32:33.841 11241100x800000000000000088495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7B463F637618B7CC6223850C248C7DB7B3C15FD92023-01-17 10:32:33.836 11241100x800000000000000088494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0BABF52A64DC7B1FCCDD563D131A086B80FE77E02023-01-17 10:32:33.836 11241100x800000000000000088493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3C7712659D18F9BDD24B44DD2EE887F2D1CA3EAE2023-01-17 10:32:33.836 11241100x800000000000000088492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.816{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C9132023-01-17 10:32:33.816 10341000x800000000000000088491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.796{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000088490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.764{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\tmp\f8a0d961-261c-49aa-bda9-ba1fb93175822023-01-17 10:32:33.764 11241100x800000000000000088489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.764{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000088488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.764{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=CF04FC5562C7C31ABA86DEBA9BFB355A,SHA256=09A94FC5309449608F3B7A7D2A2C438C1009F21D0206688C66855F36F10E598F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.764{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000088486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.764{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=5470DDF51AD12D49F8CEF4C3F4805C58,SHA256=5F5FD79EFB2D019804AF5681135244DA3B169BFFFE13168410D7E56232D640AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.754{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000088484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.754{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=283A9882CB9E2894734AB372EDDBB119,SHA256=C3C0D058D292748172C85252A4FB38FCA0B0C03BFF6F94CA6F5AACF5DEA15226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.754{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\events\newtabMD5=6EB817CB700E5A5CA6842FB5EFC8D938,SHA256=9A29C8255FD6DA0CF36B8405F32CA0F2CE5A8114D8BAB022A5459D49A640DA6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.754{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000088481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.754{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=E6046E3DD81F7C9ED005D38CB3E33735,SHA256=49AB562D2DAE74B2DF4C0D484CD053455BC6D24B25D0664C71B656DF457A84BC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.754{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\events\newtab2023-01-17 10:32:33.754 10341000x800000000000000088479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.754{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000088478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.744{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite-shm2023-01-17 10:32:33.744 10341000x800000000000000088477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.744{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+45a2cc6|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 11241100x800000000000000088476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.744{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cookies.sqlite-wal2023-01-17 10:32:33.744 23542300x800000000000000088475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.600{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite-journalMD5=E06684D40215E726FEB44DE2C460F953,SHA256=4B0EB5BF128F7F6D1756FAA123786FD3D181558A39A42188F33892DD53AC8CC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.593{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite-journal2023-01-17 10:32:28.665 11241100x800000000000000088473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.400{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.400{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9F10040AC249BABE4F441AFFBC0C83,SHA256=EA6BF29A91403C26CBEE441E50A0FBEA4E1A8987C1277A57552E5E51875D0699,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:30.220{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49531-false10.0.1.12-8089- 10341000x800000000000000069005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.513{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000069004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.498{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000069003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.469{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000069002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.459{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000069001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.456{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000069000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.414{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.406{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.377{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.369{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.363{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.354{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.349{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.346{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.344{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.343{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.337{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.336{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.329{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.324{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.319{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.292{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.273{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.240{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.218{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.186{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.172{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.159{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.143{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.128{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.115{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.108{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000068967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:33.098{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 11241100x800000000000000088649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E9CBB2505EFC589770A49C44EEE9B05CCF13137A2023-01-17 10:32:34.997 11241100x800000000000000088648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.961{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9E13FD7367D1D4F1FA1EB28A25DA23C1030FAF1D2023-01-17 10:32:34.961 354300x800000000000000088647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:32.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49533-false142.250.191.195ord38s31-in-f3.1e100.net443https 354300x800000000000000088646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:32.927{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64263- 354300x800000000000000088645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:32.925{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63304- 11241100x800000000000000088644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.887{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B4959F06D94749C1DA028C0A02EDE7475A2036B72023-01-17 10:32:34.887 11241100x800000000000000088643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.885{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7590CE21DABE9C298F1A153911083D702FC5E0C32023-01-17 10:32:34.885 734700x800000000000000088642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.865{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000088641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.864{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000088640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.860{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.859{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000088638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E27D2205AB91AF5A91D1CCB34A0E4859608DF82E2023-01-17 10:32:34.858 11241100x800000000000000088637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.856{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F76DD86EE9E6C9647EE0FA40E4F530592D1A255B2023-01-17 10:32:34.855 734700x800000000000000088636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.855{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 11241100x800000000000000088635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.850{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B08DE65990F6680BCF7D57174047667A9A6D99802023-01-17 10:32:34.850 734700x800000000000000088634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.850{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000088633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.850{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 11241100x800000000000000088632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.850{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\056875EF7A70157549110DBFAC7379B3E9D494002023-01-17 10:32:34.850 734700x800000000000000088631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 11241100x800000000000000088630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\10EF5ACB6D871372B2C55F1A4BE1C45CC1FAE6AC2023-01-17 10:32:34.842 10341000x800000000000000088629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 11241100x800000000000000088626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6CE23C0BE19F31D6525D960715F8906DF11B984B2023-01-17 10:32:34.842 734700x800000000000000088625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 23542300x800000000000000069006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:34.068{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03D647B756852D5184899B0D6AF0F5C,SHA256=A9704082ABEBA07E5AB2E4CD216D658FCCDFB24FAC6801A66358139B918F8945,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000088624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000088623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000088622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000088621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.842{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000088620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.834{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 11241100x800000000000000088619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0A3943FE0B35886BA236B2E4012AFBF54B640B9E2023-01-17 10:32:34.834 18141800x800000000000000088618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:34.834{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-7C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000088617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:34.834{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-7C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.834{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000088615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.834{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000088614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.834{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 11241100x800000000000000088613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.826{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\91D726B4D0C0B7B5927D9F5168995DDD2D31D5082023-01-17 10:32:34.826 10341000x800000000000000088612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.818{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.818{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000088610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.810{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000088609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:34.810{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.14685345041645412887C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.810{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 17141700x800000000000000088607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:34.810{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.14685345041645412887C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000088606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.810{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:34.810{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.9.69591247C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000088604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.810{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:34.810{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000088601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000088600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000088599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000088598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000088597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000088596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000088595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000088594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000088593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000088592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.801{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000088591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.799{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000088590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.798{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000088589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.798{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000088588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.798{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000088587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.797{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000088586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.797{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000088585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.796{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000088584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.794{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000088583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.793{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000088582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.792{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000088581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.792{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.792{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000088579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000088578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000088577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000088576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x800000000000000088575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000088574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x800000000000000088573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000088571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000088570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000088569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.784{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000088568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.776{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000088567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.776{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000088566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.776{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.776{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000088564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.776{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000088563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.776{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\189E8EE3481E0A80D047A04E59F9D16C09CCE3C72023-01-17 10:32:34.776 10341000x800000000000000088562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.774{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.9.695912474\873295757" -childID 8 -isForBrowser -prefsHandle 9164 -prefMapHandle 9168 -prefsLen 29955 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {099b40a3-0e03-4fef-9bfa-3db3b31403cd} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 9152 1793c790558 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000088555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.768{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.757{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.757{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000088529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:34.757{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.9.69591247C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000088528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.737{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C2C94204BB78C811C1F21E2C3AD7EB80D1EDD0192023-01-17 10:32:34.737 11241100x800000000000000088527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8AA14F4479EB72035214FFBB5EEFAA9809C259FE2023-01-17 10:32:34.723 11241100x800000000000000088526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.701{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2F1FDE0A27931730081D02F4BAB59057FE05A6872023-01-17 10:32:34.701 11241100x800000000000000088525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.701{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E83CD15579A8C5413EB9230549F8A32509484242023-01-17 10:32:34.701 11241100x800000000000000088524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.699{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\08A305F23BE96B0500292CBA18342F1163F55EB22023-01-17 10:32:34.699 11241100x800000000000000088523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.689{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\987A486EEEBC901799DD012C5A236F39CAEE69CD2023-01-17 10:32:34.689 354300x800000000000000088522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:32.735{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49532-false142.250.190.68ord37s34-in-f4.1e100.net443https 11241100x800000000000000088521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.637{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D56EA02318DAA822D902F433BECA0D95D5AE97862023-01-17 10:32:34.637 11241100x800000000000000088520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.625{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.625{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD284E3C4A4163FE0EC0B158EAE6CB0,SHA256=6205FBEC2B88419674838EEA8DE50DEC4E93FF8D9ECDB3242B2FAA26FAA63E1F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.621{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3173B0FD11AC3DF0BD1076BBE92A9D00AEE4A35B2023-01-17 10:32:34.621 11241100x800000000000000088517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.599{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DDC0E8293A673D184E35AD2E1CCFB6C64DE8E4912023-01-17 10:32:34.599 11241100x800000000000000088516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.598{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B76267F06C3B7F1CCA2425DBED25D9D8D1DC20A82023-01-17 10:32:34.597 11241100x800000000000000088515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.564{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D5287C5C95F910B5DF88A357CD851EFB405C182A2023-01-17 10:32:34.564 11241100x800000000000000088514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.537{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9EFCB3385D09B1B7CAA877AF64B87FB3DF79440C2023-01-17 10:32:34.537 11241100x800000000000000088513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.525{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B1D0652F93CD530E6F42C3F9126CD850EDE1D67B2023-01-17 10:32:34.525 11241100x800000000000000088512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.501{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5B62E5DBAD8A53DEDE15EBD6E16D43E3E880F3F62023-01-17 10:32:34.501 11241100x800000000000000088511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.495{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\52B859C2CC6593C374796A7ACDB8598169D15B972023-01-17 10:32:34.495 11241100x800000000000000088510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.495{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A757B4962D2BB091AA6ED2CEB9358188E84BE3862023-01-17 10:32:34.494 11241100x800000000000000088509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.494{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AB68FD34331DAC3A079E29826FE75B848D0D63D62023-01-17 10:32:34.494 11241100x800000000000000088508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.493{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DE1047B63AF42287E9505610D751819836E1B9152023-01-17 10:32:34.492 11241100x800000000000000088507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\50B16F09152707E3859BD40CB62E90D53B6BCDD62023-01-17 10:32:34.492 11241100x800000000000000088506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.465{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\177E467048B42402F63B010990046AD5A5E5A5302023-01-17 10:32:34.465 11241100x800000000000000088505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.425{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2CF5B7C43EC91064E74C32AC899379870F2C7A412023-01-17 10:32:34.425 11241100x800000000000000088504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.201{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B7E1F4B02477B77AA468B12D2E38EE845D051C0C2023-01-17 10:32:34.200 11241100x800000000000000088503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8540EC873F08CBAD5DF5121BD3BABF95624B4A142023-01-17 10:32:34.124 11241100x800000000000000088502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.101{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C01A5A91B3215B34E7411A2001698454305F70262023-01-17 10:32:34.101 11241100x800000000000000088501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.077{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\601DE0E3418E1141805928F9E4FF58DD77B3F6B62023-01-17 10:32:34.073 11241100x800000000000000088500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.053{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8D9F345F7DDCDCE55CF16E860CE3B882AEC110722023-01-17 10:32:34.053 23542300x800000000000000069007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:35.150{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74149A90912D6BBE2019595DB055AB93,SHA256=56D25DA116508278AE612443D5A0972E897C0AFACB4A3CC7E166D62978FA560E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.993{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E6F2F000DB8B8B155695B93CBE288FB2D837B8032023-01-17 10:32:35.993 23542300x800000000000000088976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.959{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journalMD5=D34AEA711C70D2E73D0543F768A10571,SHA256=13A93510A750D1D7EEA959D278D94221B8EFF45089D75C17091B31B5B31FB3A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.953{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journal2023-01-17 10:32:23.983 354300x800000000000000088974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.971{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local53819-false142.250.191.206ord38s31-in-f14.1e100.net443https 354300x800000000000000088973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.969{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local53818-false172.217.1.110ord37s51-in-f14.1e100.net443https 354300x800000000000000088972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.954{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49550-false172.217.5.2lga15s49-in-f2.1e100.net443https 354300x800000000000000088971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.925{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53817- 354300x800000000000000088970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.925{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64250- 354300x800000000000000088969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.922{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62344- 354300x800000000000000088968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.908{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49548-false142.250.191.206ord38s31-in-f14.1e100.net443https 354300x800000000000000088967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.906{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49549-false142.250.191.206ord38s31-in-f14.1e100.net443https 354300x800000000000000088966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local62885-false142.250.190.34ord37s33-in-f2.1e100.net443https 354300x800000000000000088965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.871{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49546-false142.250.191.206ord38s31-in-f14.1e100.net443https 354300x800000000000000088964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.868{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49547-false142.250.191.206ord38s31-in-f14.1e100.net443https 354300x800000000000000088963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.868{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49545-false142.250.191.206ord38s31-in-f14.1e100.net443https 354300x800000000000000088962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.841{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49544-false142.250.191.206ord38s31-in-f14.1e100.net443https 354300x800000000000000088961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.839{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49543-false172.217.1.110ord37s51-in-f14.1e100.net443https 354300x800000000000000088960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.837{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49542-false172.217.1.110ord37s51-in-f14.1e100.net443https 354300x800000000000000088959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local62884-false172.217.4.78lga15s47-in-f78.1e100.net443https 354300x800000000000000088958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.824{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62883- 354300x800000000000000088957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.823{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53207- 354300x800000000000000088956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.820{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63455- 354300x800000000000000088955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.820{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53775- 354300x800000000000000088954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.818{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54546- 354300x800000000000000088953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.807{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49541-false142.250.190.34ord37s33-in-f2.1e100.net443https 354300x800000000000000088952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.791{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53889- 354300x800000000000000088951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.788{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50195- 10341000x800000000000000088950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.893{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.893{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.893{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.892{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.892{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.892{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.874{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.873{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.873{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000088941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.873{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 10341000x800000000000000088940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.873{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.872{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.872{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000088937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.846{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x800000000000000088936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.845{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x800000000000000088935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.844{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 11241100x800000000000000088934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.841{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F3A39DDBA842822E2601D665A76E28145620AAD2023-01-17 10:32:35.840 11241100x800000000000000088933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.833{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000088932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.833{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9188AC5F02DE3E34983941AC52865DF2,SHA256=CE42415BCA861FD05311B0B4CBC341C76A41DEBAFD1D20FF93F22897915D765C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.827{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.827{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38CFAB0C3ED1C64CBAD15B9A2261D2E,SHA256=7A45C3D0AEB7DE32B9F9ECF61ED3D09AC7152BF322D59D2E9FCA869EA24A50BB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000088929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.817{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MSAudDecMFT.dll10.0.14393.206 (rs1_release.160915-0644)Media Foundation Audio DecodersMicrosoft® Windows® Operating SystemMicrosoft CorporationMSAudDecMFT.dllMD5=899A520E5B6B8631DF6863BBD33A4264,SHA256=2A23CAF4CC2D11A20574EDE1755D03F4FF1ECDCE3D626A69D85CFE46703BC97D,IMPHASH=564825227B20C446A4E5874DD1BAF1FAtrueMicrosoft WindowsValid 734700x800000000000000088928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.816{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msdmo.dll10.0.14393.0 (rs1_release.160715-1616)DMO RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdmo.dllMD5=3246C9C5ECF6555103C7119161ACC8C8,SHA256=3A29292F04B09A91C305062E00756194A83BDEA3ABB1BFB783D908E6D1BEBFBC,IMPHASH=B5AB2AA782AD334C5633AAE30A2CFF41trueMicrosoft WindowsValid 734700x800000000000000088927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.816{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MP3DMOD.DLL10.0.14393.0 (rs1_release.160715-1616)Microsoft MP3 Decoder DMOMicrosoft® Windows® Operating SystemMicrosoft Corporationmp3dmod.dllMD5=A9B35CD3C0A14AE1B9DAA8E4114B8E49,SHA256=25142AF94A5C151055C5DAAB89D183F923CE47EE61D8D3B38DE2BC833FC16E18,IMPHASH=33FA1A40805F452D7ED8E842BB1DA59BtrueMicrosoft WindowsValid 734700x800000000000000088926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.814{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000088925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.813{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfperfhelper.dll10.0.14393.0 (rs1_release.160715-1616)MFPerf DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfperfhelper.dllMD5=DAD53152E620AB1D256F531CCDDF4C96,SHA256=577A697C088A319A9839989E18548F46121E661D56C701DE0360905E814BC12D,IMPHASH=A00BC62B03D75EE2D584A9E7EFBA79A6trueMicrosoft WindowsValid 734700x800000000000000088924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.813{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msmpeg2vdec.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft DTV-DVD Video DecoderMicrosoft® Windows® Operating SystemMicrosoft CorporationMSMPEG2VDEC.dllMD5=A1848B7EAD4E9B656A947F047AF2ADD9,SHA256=A80DCB59A565170E9A16E31DEB03FF0564D7DC3505FA83EAD96AC02FEDB87681,IMPHASH=6B91AF8A332F21F82F6117F8D9E0B8DBtrueMicrosoft WindowsValid 734700x800000000000000088923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.788{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000088922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.788{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\evr.dll10.0.14393.2515 (rs1_release_1.180830-1044)Enhanced Video Renderer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationevr.dllMD5=4F00E99C3E92226B072C0E80D52A82F4,SHA256=7788212BD473C69B3C8F6705A7470BE783BE0244BC289334EFA579AAD2C9A91C,IMPHASH=C44CF843A574B60FED1B4D29827EBA14trueMicrosoft WindowsValid 734700x800000000000000088921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.783{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfperfhelper.dll10.0.14393.0 (rs1_release.160715-1616)MFPerf DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfperfhelper.dllMD5=DAD53152E620AB1D256F531CCDDF4C96,SHA256=577A697C088A319A9839989E18548F46121E661D56C701DE0360905E814BC12D,IMPHASH=A00BC62B03D75EE2D584A9E7EFBA79A6trueMicrosoft WindowsValid 734700x800000000000000088920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.780{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxva2.dll10.0.14393.0 (rs1_release.160715-1616)DirectX Video Acceleration 2.0 DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdxva2.dllMD5=DE24CAC5A0B3CE1AD8057FE258712365,SHA256=5CA1E7FBA01D92AA3F933A00E495460DC5DB38DAD2CAD370782474F50F9C964E,IMPHASH=338B9EB254A5341CE890B2511DF3DFAEtrueMicrosoft WindowsValid 734700x800000000000000088919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.777{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mf.dll10.0.14393.5582 (rs1_release.221130-1719)Media Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmf.dllMD5=1D9ED89EC36FB43303418F557A8B7893,SHA256=20F02D55E45A5EED892A92145FB9244A4F658E73F57048374E327B9504F021F6,IMPHASH=224763A9487AA02E14432742CBC2F08EtrueMicrosoft WindowsValid 734700x800000000000000088918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.772{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MSAudDecMFT.dll10.0.14393.206 (rs1_release.160915-0644)Media Foundation Audio DecodersMicrosoft® Windows® Operating SystemMicrosoft CorporationMSAudDecMFT.dllMD5=899A520E5B6B8631DF6863BBD33A4264,SHA256=2A23CAF4CC2D11A20574EDE1755D03F4FF1ECDCE3D626A69D85CFE46703BC97D,IMPHASH=564825227B20C446A4E5874DD1BAF1FAtrueMicrosoft WindowsValid 734700x800000000000000088917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.769{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 734700x800000000000000088916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.766{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msdmo.dll10.0.14393.0 (rs1_release.160715-1616)DMO RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdmo.dllMD5=3246C9C5ECF6555103C7119161ACC8C8,SHA256=3A29292F04B09A91C305062E00756194A83BDEA3ABB1BFB783D908E6D1BEBFBC,IMPHASH=B5AB2AA782AD334C5633AAE30A2CFF41trueMicrosoft WindowsValid 734700x800000000000000088915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.766{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000088914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.765{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 734700x800000000000000088913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.765{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MP3DMOD.DLL10.0.14393.0 (rs1_release.160715-1616)Microsoft MP3 Decoder DMOMicrosoft® Windows® Operating SystemMicrosoft Corporationmp3dmod.dllMD5=A9B35CD3C0A14AE1B9DAA8E4114B8E49,SHA256=25142AF94A5C151055C5DAAB89D183F923CE47EE61D8D3B38DE2BC833FC16E18,IMPHASH=33FA1A40805F452D7ED8E842BB1DA59BtrueMicrosoft WindowsValid 18141800x800000000000000088912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:35.762{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.4398507034477762558C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000088911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:35.762{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.4398507034477762558C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000088910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.761{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-shm2023-01-17 10:32:35.743 11241100x800000000000000088909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.761{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-wal2023-01-17 10:32:35.742 23542300x800000000000000088908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.760{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-walMD5=A64819D7A9C13F823CAAA1EA87467BF6,SHA256=7CD4B4AAD5ECA62A6861F2500B81145A80E230B8A703AE4A8B19CBAC6EABBCD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.758{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-shmMD5=203AE0FCBC01A8B602C482DFBED098C8,SHA256=BEA048413A71C5B85C69683E3D807F979BE0E721C0147CD6536BBF65FD697992,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.753{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.files2023-01-17 10:32:35.753 734700x800000000000000088905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.751{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000088904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.751{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\evr.dll10.0.14393.2515 (rs1_release_1.180830-1044)Enhanced Video Renderer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationevr.dllMD5=4F00E99C3E92226B072C0E80D52A82F4,SHA256=7788212BD473C69B3C8F6705A7470BE783BE0244BC289334EFA579AAD2C9A91C,IMPHASH=C44CF843A574B60FED1B4D29827EBA14trueMicrosoft WindowsValid 734700x800000000000000088903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.750{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxva2.dll10.0.14393.0 (rs1_release.160715-1616)DirectX Video Acceleration 2.0 DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdxva2.dllMD5=DE24CAC5A0B3CE1AD8057FE258712365,SHA256=5CA1E7FBA01D92AA3F933A00E495460DC5DB38DAD2CAD370782474F50F9C964E,IMPHASH=338B9EB254A5341CE890B2511DF3DFAEtrueMicrosoft WindowsValid 734700x800000000000000088902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.749{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mf.dll10.0.14393.5582 (rs1_release.221130-1719)Media Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmf.dllMD5=1D9ED89EC36FB43303418F557A8B7893,SHA256=20F02D55E45A5EED892A92145FB9244A4F658E73F57048374E327B9504F021F6,IMPHASH=224763A9487AA02E14432742CBC2F08EtrueMicrosoft WindowsValid 734700x800000000000000088901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.748{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 11241100x800000000000000088900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.748{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E68FEE39A64B0603034DCB74B918569F0DEA7312023-01-17 10:32:35.748 734700x800000000000000088899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.747{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 734700x800000000000000088898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.747{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000088897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.746{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000088896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.746{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000088895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.744{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.743{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 11241100x800000000000000088893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.743{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-shm2023-01-17 10:32:35.743 11241100x800000000000000088892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.743{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-wal2023-01-17 10:32:35.742 23542300x800000000000000088891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.740{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-journalMD5=C8F5C72AFB88FBB5D84212A3CAD2D58E,SHA256=EAF3C7B259AC3404061D6AD4DD98ECC6F20DC8376705541FBE7405D67AA2CEAE,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000088890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.740{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000088889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.740{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000088888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.740{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:35.740{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.11.122853825C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.738{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavutil.dll108.0.2-FirefoxMozilla Foundationmozavutil.dllMD5=6867D0951F37AE86D9BAC1C7ABD95343,SHA256=605191D98C158E9201284627A061D3B6C814C8E919330B69353F791597C096AA,IMPHASH=9FA5AE0F98A584516538DC6DFC2A14DDtrueMozilla CorporationValid 734700x800000000000000088885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.736{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavcodec.dll108.0.2-FirefoxMozilla Foundationmozavcodec.dllMD5=BB22E492883A2EFEA58A6BA3B1289BF2,SHA256=955B98683873AD963157C49A9DAF8BF38BF7FF3A9698803A09D0807603146037,IMPHASH=353D225220D21B28EC6954E0D9F8F6D7trueMozilla CorporationValid 11241100x800000000000000088884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-journal2023-01-17 10:32:35.728 23542300x800000000000000088883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.736{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-journalMD5=8E9AE8479C6E4164651CA47F7183026E,SHA256=AFBAD0D1E4E1CA6B4E8AAB7BA6EE8B7323074C122E5841FD79404D2EA5E04826,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.736{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.736{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:35.734{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.734{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000088878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.732{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 11241100x800000000000000088877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.732{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E78C7923EB1564CE0E7980AF853121FE231092B52023-01-17 10:32:35.732 18141800x800000000000000088876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:35.732{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.2247569219217675963C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000088875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:35.730{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.2247569219217675963C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.730{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000088873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.730{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:35.730{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.10.17441778C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.728{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 11241100x800000000000000088870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.728{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-journal2023-01-17 10:32:35.728 734700x800000000000000088869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.728{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000088868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.728{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 11241100x800000000000000088867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.728{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite2023-01-17 10:32:35.728 734700x800000000000000088866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.728{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000088865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.728{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000088864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.726{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000088863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.726{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000088862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.726{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000088861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.726{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000088860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.726{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000088859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.724{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x800000000000000088858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.724{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000088857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:35.724{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.724{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000088855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.724{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000088854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.724{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000088853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.722{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000088852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.720{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000088851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.720{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000088850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.720{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.720{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000088848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.718{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000088847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.718{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000088846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.718{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000088845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000088844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000088843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000088842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000088841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000088840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000088839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000088838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000088837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.716{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000088836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000088835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000088834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000088833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x800000000000000088832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000088831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000088830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000088829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000088828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.714{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000088827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.712{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 11241100x800000000000000088826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.712{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D88C9CA58390E53512691A8424E3FA7B5D004D8E2023-01-17 10:32:35.712 734700x800000000000000088825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.712{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000088824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.712{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000088823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.712{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000088822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.712{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.712{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000088820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.712{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000088819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.710{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000088818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.710{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000088817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.710{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000088816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.710{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000088815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.708{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000088814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.708{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000088813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.708{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.708{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.708{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000088810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.708{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.708{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.708{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000088807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.706{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000088806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.706{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000088805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.706{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000088804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.706{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000088803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.704{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000088802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.704{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x800000000000000088801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.704{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.704{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000088796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd48f|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.703{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.11.1228538257\1589862946" -parentBuildID 20230104165113 -sandboxingKind 1 -prefsHandle 8964 -prefMapHandle 8960 -prefsLen 29955 -prefMapSize 230565 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f62e819-1371-4ac0-8127-dffa09a81b92} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 8860 1793e0d1658 utilityC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000088793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000088792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x800000000000000088791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000088788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000088785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.702{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.701{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.701{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 10341000x800000000000000088780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.701{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.701{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.701{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.701{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000088776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.701{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.701{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.700{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.700{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.700{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.700{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.700{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.700{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.700{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 10341000x800000000000000088767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.700{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.699{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.699{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.699{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000088763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.699{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.699{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.699{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.698{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000088759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.698{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000088758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.698{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000088757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.693{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.693{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.693{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.693{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.693{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.692{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.692{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.10.174417784\2025242032" -parentBuildID 20230104165113 -prefsHandle 9040 -prefMapHandle 2684 -prefsLen 29955 -prefMapSize 230565 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f116bd56-af1d-48a6-be53-58ccf5578ad5} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 9224 1793e0d0458 rddC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000088750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.691{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.691{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.691{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.691{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.691{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.691{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.690{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.690{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.690{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.690{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.690{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.690{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.689{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.689{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.689{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.689{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.689{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.688{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.688{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.688{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.688{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.688{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.687{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.687{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.687{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.686{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000088724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.686{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 17141700x800000000000000088723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:35.686{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.11.122853825C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000088722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.686{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29C3B313E51A9EB206C273121F5C8D1,SHA256=7AF9C923E59F241E13DDBA8D36B882A6CC5FE4DD3E8F784854E25E968668FAAF,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000088721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:35.686{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.10.17441778C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000088720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.684{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavcodec.dll108.0.2-FirefoxMozilla Foundationmozavcodec.dllMD5=BB22E492883A2EFEA58A6BA3B1289BF2,SHA256=955B98683873AD963157C49A9DAF8BF38BF7FF3A9698803A09D0807603146037,IMPHASH=353D225220D21B28EC6954E0D9F8F6D7trueMozilla CorporationValid 734700x800000000000000088719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.684{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavutil.dll108.0.2-FirefoxMozilla Foundationmozavutil.dllMD5=6867D0951F37AE86D9BAC1C7ABD95343,SHA256=605191D98C158E9201284627A061D3B6C814C8E919330B69353F791597C096AA,IMPHASH=9FA5AE0F98A584516538DC6DFC2A14DDtrueMozilla CorporationValid 11241100x800000000000000088718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.670{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-shm2023-01-17 10:32:35.652 11241100x800000000000000088717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.670{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-wal2023-01-17 10:32:35.652 23542300x800000000000000088716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.670{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-walMD5=463E97EFCA4735D665B45449FDE2DCF0,SHA256=65BCAF0123DDA15D801EB6294E01CD2FCE00D3275350E8B90E856C74729E6E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.668{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-shmMD5=1A6E911B2605C3B7B31A78B827CA03D0,SHA256=6DB5E4FE7B4078D13EA826DEFA6432EB5D2849835111D180B709671D2A792284,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.666{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\98D9B0E08105D88791399C99510968852AB903C02023-01-17 10:32:35.666 11241100x800000000000000088713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.664{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.files2023-01-17 10:32:35.664 22542200x800000000000000088712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.691{F172AD64-7935-63C6-6402-00000000B002}2296play.google.com0::ffff:172.217.1.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.584{F172AD64-7935-63C6-6402-00000000B002}2296plus.l.google.com02607:f8b0:4009:805::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.582{F172AD64-7935-63C6-6402-00000000B002}2296plus.l.google.com0172.217.4.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000088709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.579{F172AD64-7935-63C6-6402-00000000B002}2296apis.google.com0type: 5 plus.l.google.com;::ffff:172.217.4.78;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000088708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.652{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-shm2023-01-17 10:32:35.652 11241100x800000000000000088707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.652{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-wal2023-01-17 10:32:35.652 23542300x800000000000000088706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.652{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-journalMD5=F267D8F5C3542568FB8C5B9F7733A708,SHA256=828D19570BB16F1DEDF9E0787C5267DD4E9D6E4930934C88B6BCF88050968F90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.646{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-journal2023-01-17 10:32:35.640 23542300x800000000000000088704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.646{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-journalMD5=5CC34204853A43CF128BFEF302E4DF35,SHA256=7A209A7367E2F6F8B6A532610048D1BB6BC3CFD2BA672642B316ED19BE7397AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.730{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49540-false172.217.4.78lga15s47-in-f78.1e100.net443https 354300x800000000000000088702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.724{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local63449-false142.250.190.86ord37s34-in-f22.1e100.net443https 354300x800000000000000088701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.710{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63448- 354300x800000000000000088700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.710{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49872- 354300x800000000000000088699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.706{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63343- 354300x800000000000000088698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.695{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49539-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000088697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.675{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49538-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000088696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.640{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49537-false142.250.190.86ord37s34-in-f22.1e100.net443https 354300x800000000000000088695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.615{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49536-false142.250.190.86ord37s34-in-f22.1e100.net443https 354300x800000000000000088694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49535-false142.250.190.86ord37s34-in-f22.1e100.net443https 354300x800000000000000088693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.598{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55158- 354300x800000000000000088692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.598{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65141- 11241100x800000000000000088691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.640{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-journal2023-01-17 10:32:35.640 11241100x800000000000000088690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.640{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite2023-01-17 10:32:35.640 11241100x800000000000000088689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.638{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb2023-01-17 10:32:35.638 11241100x800000000000000088688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.638{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6049A00F37834758E6233342CF24BAB665B5EA812023-01-17 10:32:35.638 11241100x800000000000000088687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.636{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\.metadata-v2-tmp2023-01-17 10:32:35.634 11241100x800000000000000088686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.634{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%292023-01-17 10:32:35.634 11241100x800000000000000088685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.626{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E8E14A0CCF23596E2D1F1E4C47D6F1FDDF3733282023-01-17 10:32:35.626 11241100x800000000000000088684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.620{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0F18F8082E4DAA51C4ACA55CA5AF51F4C66B95992023-01-17 10:32:35.620 11241100x800000000000000088683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.608{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7AEF0F504C4FAE2BF2DD39F1FD04EB24DD067FE42023-01-17 10:32:35.606 11241100x800000000000000088682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.606{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9429EB662346DEEC5D2BB40985696D78AC77BE82023-01-17 10:32:35.606 11241100x800000000000000088681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.598{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\16862BDB17CDFDF60CA61D120B9258EE6A57D25F2023-01-17 10:32:35.597 11241100x800000000000000088680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F827952DC3136E2E0D817AF7B0C1D731097310C52023-01-17 10:32:35.582 11241100x800000000000000088679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.542{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BACF9BC91F934BF36B78ADF8A22FB52E112E6EC92023-01-17 10:32:35.542 11241100x800000000000000088678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.412{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\69302A4A623EB306C971A3E97E496A32E49CDE2D2023-01-17 10:32:35.410 11241100x800000000000000088677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.379{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\17D49B74DB2DCD283627895B784389845E1FBE2A2023-01-17 10:32:35.379 11241100x800000000000000088676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.327{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\420F6226C1DBABC33502DE77445B1A90B169B16A2023-01-17 10:32:35.327 11241100x800000000000000088675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.325{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ADC95B2FB7F902C45C91A20B2A7A577C085C059E2023-01-17 10:32:35.325 11241100x800000000000000088674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.288{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4A83A5BB561FFF4C8EEA1580EA679647063E25EA2023-01-17 10:32:35.288 11241100x800000000000000088673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A752BE816C32A166B4212612D41570FEFDA0B4E82023-01-17 10:32:35.273 11241100x800000000000000088672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\01CF55B4546FE57A7A2E7686B0041AB46C3C30BF2023-01-17 10:32:35.269 11241100x800000000000000088671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.266{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9FC8C85689D31525EACE26158B83B464F43A027B2023-01-17 10:32:35.266 11241100x800000000000000088670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.264{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4D498431F88EDD31B86851C36EA0B169639AD5B92023-01-17 10:32:35.264 10341000x800000000000000088669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.231{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 11241100x800000000000000088668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.211{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\27FBA540B609270596342CADAA628B69CB201FD52023-01-17 10:32:35.211 10341000x800000000000000088667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.185{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.185{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.184{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.184{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.184{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000088662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.184{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000088661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.166{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000088660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.166{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF0582DF6A4CF9ED2A505D9ADBD6292,SHA256=CE5179FF3BC897B4AA75E22EBADE76F58B4802260D978678962161A4CC9FA5E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.227{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local63780-false142.250.191.99ord38s28-in-f3.1e100.net443https 354300x800000000000000088658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.159{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49534-false142.250.191.99ord38s28-in-f3.1e100.net443https 354300x800000000000000088657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.145{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63779- 354300x800000000000000088656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.144{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50279- 354300x800000000000000088655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:33.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61105-false142.250.191.195ord38s31-in-f3.1e100.net443https 11241100x800000000000000088654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.130{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\78583EB74829DD0999CAEF0E8F40E211E0F3BE072023-01-17 10:32:35.130 11241100x800000000000000088653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.088{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2C26EB368573833F698E00EEC7983EC9B991E2C42023-01-17 10:32:35.088 11241100x800000000000000088652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.064{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F83F911B194C363DBEAB2BB3DC8168A88CD6D632023-01-17 10:32:35.064 11241100x800000000000000088651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.060{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2CB2D860F871EC5CD874D67DC06465E393A10B92023-01-17 10:32:35.060 23542300x800000000000000088650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.023{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=582B81534C9A04E71C059B129A69EC44,SHA256=538F725C0C651A9205A38AF1DB455918EB57D55E3CFD251818B4FFC18AEDE6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:36.242{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013FE7930A42BF0C043BAC8CFC355FEF,SHA256=B590C8BB09F1A17B2C7B162F885DCA71F85BD59F7FBF1E0B8CBD06D8C4037063,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B2B1ABE7E2277C710A830860E2823022C4154CA32023-01-17 10:32:36.997 11241100x800000000000000089214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BB68DE436254DE32E8E939BC059F36D97EFFE0832023-01-17 10:32:36.996 354300x800000000000000089213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.919{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61107-false142.250.191.106ord38s28-in-f10.1e100.net443https 354300x800000000000000089212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.872{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61106-false142.250.190.70ord37s34-in-f6.1e100.net443https 354300x800000000000000089211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.810{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49553-false142.250.191.106ord38s28-in-f10.1e100.net443https 354300x800000000000000089210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49554-false142.250.191.106ord38s28-in-f10.1e100.net443https 354300x800000000000000089209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.793{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64377- 354300x800000000000000089208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.790{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52887- 354300x800000000000000089207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.780{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49552-false142.250.190.70ord37s34-in-f6.1e100.net443https 11241100x800000000000000089206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.879{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\41CB4D18131AA2D4037C33CE09BC083BC6C3984E2023-01-17 10:32:36.878 11241100x800000000000000089205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FC024B682B8B01E260F4887B19D99D48F1AAF6182023-01-17 10:32:36.878 11241100x800000000000000089204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.877{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B6345215A3A277D92FCAD87CC162DD089CC2D4AD2023-01-17 10:32:36.877 11241100x800000000000000089203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.826{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\859144687662929b2023-01-17 10:32:36.826 10341000x800000000000000089202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.788{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.788{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.788{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.785{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.785{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.785{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000089196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.744{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CEC7D553D31DB132CECA37E9845002197DE8AB7B2023-01-17 10:32:36.744 11241100x800000000000000089195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F193242730E90946107D9F7F849C4D0695B7A0782023-01-17 10:32:36.735 11241100x800000000000000089194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.721{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\86608B0FA249DBF1C2E74B81BF6441735F865AE72023-01-17 10:32:36.721 11241100x800000000000000089193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.712{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0435EB270F1A7752BB080E3126065DBD73042CBE2023-01-17 10:32:36.712 734700x800000000000000089192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.697{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 22542200x800000000000000089191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.477{F172AD64-7935-63C6-6402-00000000B002}2296github.githubassets.com0::ffff:185.199.108.154;::ffff:185.199.109.154;::ffff:185.199.110.154;::ffff:185.199.111.154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.041{F172AD64-7935-63C6-6402-00000000B002}2296github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.039{F172AD64-7935-63C6-6402-00000000B002}2296github.com0140.82.114.3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.038{F172AD64-7935-63C6-6402-00000000B002}2296github.com0::ffff:140.82.114.3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.679{F172AD64-7935-63C6-6402-00000000B002}2296jnn-pa.googleapis.com02607:f8b0:4009:817::200a;2607:f8b0:4009:818::200a;2607:f8b0:4009:807::200a;2607:f8b0:4009:805::200a;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.665{F172AD64-7935-63C6-6402-00000000B002}2296jnn-pa.googleapis.com0142.250.191.138;142.250.191.170;142.250.191.202;142.250.191.234;142.251.32.10;142.250.190.10;142.250.190.42;142.250.190.74;142.250.190.138;172.217.0.170;172.217.1.106;172.217.2.42;172.217.4.42;172.217.4.74;172.217.4.202;142.250.191.106;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.663{F172AD64-7935-63C6-6402-00000000B002}2296jnn-pa.googleapis.com0::ffff:142.250.191.106;::ffff:142.250.191.138;::ffff:142.250.191.170;::ffff:142.250.191.202;::ffff:142.250.191.234;::ffff:142.251.32.10;::ffff:142.250.190.10;::ffff:142.250.190.42;::ffff:142.250.190.74;::ffff:142.250.190.138;::ffff:172.217.0.170;::ffff:172.217.1.106;::ffff:172.217.2.42;::ffff:172.217.4.42;::ffff:172.217.4.74;::ffff:172.217.4.202;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.693{F172AD64-7935-63C6-6402-00000000B002}2296play.google.com02607:f8b0:4009:801::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.692{F172AD64-7935-63C6-6402-00000000B002}2296play.google.com0172.217.1.110;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000089182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.675{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\41522FB3FBBB695BAC1A1374EB697FFB3BA873832023-01-17 10:32:36.675 354300x800000000000000089181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.764{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53664- 354300x800000000000000089180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.759{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51776- 354300x800000000000000089179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.607{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52949- 354300x800000000000000089178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.604{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63522- 354300x800000000000000089177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.604{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50890- 354300x800000000000000089176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.603{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52734- 354300x800000000000000089175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.602{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62992- 11241100x800000000000000089174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.631{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2409F6CA91CED7F515D908B691BE372E739C27D22023-01-17 10:32:36.631 11241100x800000000000000089173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\224E466C4F29DF00E0FF2964DF96BBC86C764D2C2023-01-17 10:32:36.630 11241100x800000000000000089172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.629{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EA722F66BB817F91AC02B04448017AD66241C9BC2023-01-17 10:32:36.629 11241100x800000000000000089171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.629{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\61418A9D5AEDEE0C60487F3D7EDF374BA0BEED132023-01-17 10:32:36.629 11241100x800000000000000089170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.628{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A0E631B0F3EBD6B72AF5EB95051B93FC41D88F7A2023-01-17 10:32:36.628 11241100x800000000000000089169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\72889BCBB1A9D16D02FDA8C4D70847C89BAEC6ED2023-01-17 10:32:36.627 11241100x800000000000000089168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1E112FA43466DB30F7F3714EFB4826453516ADD22023-01-17 10:32:36.627 11241100x800000000000000089167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.624{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 11241100x800000000000000089166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.624{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\374167805219C8BA33C0C921CB84FA8465A446BD2023-01-17 10:32:36.624 23542300x800000000000000089165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.624{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819F75F28CD42DDF4BC7A03DA4B1815F,SHA256=0D85C59A8ACBB3FEB4729C65EF3A028D4FCF02BB8D8B3414309534C9B46CAAF4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.623{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F1D0FCDC18E42BF416D6A2577F5791758BB121502023-01-17 10:32:36.623 11241100x800000000000000089163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.623{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1DB8D416E7919B5636FDDC17243461B388DA0F4A2023-01-17 10:32:36.623 11241100x800000000000000089162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.622{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE88D7680557B3820CA90BE0494D2DE90DF685B72023-01-17 10:32:36.622 11241100x800000000000000089161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.621{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\86ADEC5A58B02E4433E25F273AECC74F76BF5C4A2023-01-17 10:32:36.621 11241100x800000000000000089160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.621{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FC0849AB1B0C87FC42B32B4CDA479B94325395C82023-01-17 10:32:36.620 11241100x800000000000000089159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.620{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\004D07E8B2B8D7E761A3DEF24B014E4238890E7F2023-01-17 10:32:36.620 11241100x800000000000000089158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.619{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\32F4A7B4165C3E6D6BBCBE372DF1ED27FC0C474F2023-01-17 10:32:36.619 11241100x800000000000000089157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.618{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CC103D8A0C1E8C003E5281955A51EA723D457E9D2023-01-17 10:32:36.618 11241100x800000000000000089156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.618{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\70AB7096BF0DA3F92E7B97A45322C3AD565F618B2023-01-17 10:32:36.618 11241100x800000000000000089155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.617{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D07E28EB4A24A657C638060721C7499A21894DD32023-01-17 10:32:36.617 10341000x800000000000000089154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.617{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.616{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7984D949C3D45E833EF8030BB1D079009E84C8DC2023-01-17 10:32:36.616 11241100x800000000000000089152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.616{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D6C8BE64586939088564C85C23C77ACEFB8A77B02023-01-17 10:32:36.615 11241100x800000000000000089151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.613{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\316A2BED57B36D0AC4898BAE0E4A7415B08AD6522023-01-17 10:32:36.613 11241100x800000000000000089150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.613{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C03C889BC477E453C11EC5F4D4AF6724433FBFDE2023-01-17 10:32:36.612 11241100x800000000000000089149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.610{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\80C6E0159FDBC6F5760958AFFC75CE8EDB0FE2062023-01-17 10:32:36.610 11241100x800000000000000089148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\12735C014A4D240D45229CC6581FBDF25E2865C22023-01-17 10:32:36.609 11241100x800000000000000089147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.608{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6B257BF26944D824917AE50113575A5848F0762A2023-01-17 10:32:36.608 11241100x800000000000000089146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.607{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\876F7F132C6FC78C5230CBFA6BAF7080FF35FC9F2023-01-17 10:32:36.607 11241100x800000000000000089145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.606{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\06A83A2C8684AAAB9E2C920382803DC4CD46F1372023-01-17 10:32:36.606 11241100x800000000000000089144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.606{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A7573D83C710387A5388A2FE5CDA97D2030A7F542023-01-17 10:32:36.605 11241100x800000000000000089143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.605{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A6B353E18D870B6D99D58C90CB8604CA79DCFEEB2023-01-17 10:32:36.605 11241100x800000000000000089142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.605{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0050CC213C8071FF453567C8F88722D7AFDEFBE42023-01-17 10:32:36.604 11241100x800000000000000089141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.603{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B47F856B70508C8E1A5E196D649DFA9F6966DC792023-01-17 10:32:36.603 11241100x800000000000000089140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.601{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\61DA49B57CE5F853CC86946AFE5A90771ECDA8A92023-01-17 10:32:36.600 11241100x800000000000000089139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.600{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B82928E2EF243BD2EF0C53DF278C3B7511D271392023-01-17 10:32:36.600 11241100x800000000000000089138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.599{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B71128A3D87A907BC4B49AF033FAD7D7AD3CC01D2023-01-17 10:32:36.599 11241100x800000000000000089137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.598{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3807AE49FF10A5B25AF6869E15ECE1D5D55E99512023-01-17 10:32:36.598 11241100x800000000000000089136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.596{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3ABF408077312B1105683B1EDE314901B04CBFB02023-01-17 10:32:36.596 11241100x800000000000000089135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.594{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B0A0755D5E07084B928FB1818C18BA33669DDFD62023-01-17 10:32:36.594 11241100x800000000000000089134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.593{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\926AA7EDCEC4F94C50DF148B91AE7724509D83DF2023-01-17 10:32:36.593 11241100x800000000000000089133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.592{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FA8463BA301DD689EA51D421FB1E086CFB77CCCA2023-01-17 10:32:36.592 11241100x800000000000000089132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D507B35C64880758721F5853C44F629B85E4A57B2023-01-17 10:32:36.587 11241100x800000000000000089131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.586{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B507743585D2A342E8F823B858473674EF59FF492023-01-17 10:32:36.585 11241100x800000000000000089130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.585{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3502D22AE3E94863F7BD48B2EA106E0A8ED66DB42023-01-17 10:32:36.585 11241100x800000000000000089129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.584{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\60725DE15CF28CABF19DFEEC0B1D3663ECA15B222023-01-17 10:32:36.584 11241100x800000000000000089128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\305F311FCC936AC31F54C6464A5E5AD657733B3F2023-01-17 10:32:36.581 11241100x800000000000000089127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.568{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E2110E1A4063D91BE182B70A2C16111509B15F702023-01-17 10:32:36.568 11241100x800000000000000089126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.567{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CCCB9757AF51C6B765E747507DB99DE4002ADC682023-01-17 10:32:36.567 11241100x800000000000000089125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.567{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\10B30A45954CEF68CC68E371BE41B4D17C1E02BB2023-01-17 10:32:36.566 23542300x800000000000000089124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.566{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite-journalMD5=49859FDF551198174858D6063D823246,SHA256=C79C5A064843966865973AA3C415CF9EA3ABDD2FADEED48A20D34463D1531981,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.561{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BEDA0103DDE0F23918705D6713C5611B85B9F9D32023-01-17 10:32:36.561 11241100x800000000000000089122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\usage2023-01-17 10:32:36.557 11241100x800000000000000089121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C41FABB1287A4B028CAA5CBE78B1B3FAB82CA5C32023-01-17 10:32:36.558 11241100x800000000000000089120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.557{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D9FAD8190A02157F67D31EFE224F9646188393E72023-01-17 10:32:36.557 11241100x800000000000000089119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.557{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\usage-journal2023-01-17 10:32:36.557 11241100x800000000000000089118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.556{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D91BC901421D6EC2856E0170D836F72794C98BA02023-01-17 10:32:36.556 11241100x800000000000000089117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.556{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite-journal2023-01-17 10:32:36.505 23542300x800000000000000089116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.555{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\webappsstore.sqlite-walMD5=977A093DCB5B804D7DC82D4B5EF2313D,SHA256=A09B0C1ADB66CD67FAEE463D7CE5C04E158C9A32568FD87BB0C967456E29E480,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DE6FE4B9A704ACBE491FCF02606CDC001C5368282023-01-17 10:32:36.554 23542300x800000000000000089114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.553{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\webappsstore.sqlite-shmMD5=63E8440654A5473AA72CB43B8FEACF2D,SHA256=F554E4C4EFA8AA15DCF919C29F4E72DBFF70E49EE6553276B7F85AD9C3718B49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.542{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\webappsstore.sqlite-shm2023-01-17 10:32:36.541 11241100x800000000000000089112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.542{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\startupCache\scriptCache-child-new.bin2023-01-17 10:32:36.541 11241100x800000000000000089111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.540{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\webappsstore.sqlite-wal2023-01-17 10:32:36.540 23542300x800000000000000089110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.540{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\webappsstore.sqlite-journalMD5=215372ECF1DCD93EC46A768DD53D6304,SHA256=A7006703DFA31B36615BB11449500E23F1A8F66BD2BCEFAAC72678BF5805EEAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.533{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\webappsstore.sqlite-journal2023-01-17 10:32:36.533 11241100x800000000000000089108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.531{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\webappsstore.sqlite2023-01-17 10:32:36.531 23542300x800000000000000089107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.531{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite-journalMD5=9A9FE57A97DE6309AA84AF497D568E1E,SHA256=9E962C742829A1BE36780A50E7F23436637BD2A08821D2852E0E252B62605658,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.529{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\startupCache\scriptCache-new.bin2023-01-17 10:32:36.528 11241100x800000000000000089105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.524{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite-journal2023-01-17 10:32:36.505 23542300x800000000000000089104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.524{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite-journalMD5=CB05A2AAE7B419DAE43DCE654462DE21,SHA256=139DBC973ECC75134B8974FC07C173C0B0DEDC3757CFB678C44959E792CEE7E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.516{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite-journal2023-01-17 10:32:36.505 23542300x800000000000000089102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.515{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite-journalMD5=4726F2E80AAC6F0E78E251407B2CD9B2,SHA256=9DFBF08C9179CD9491976E87FFD7F72C3C3B391E66AB2E7E3C528A137F3BFC58,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite-journal2023-01-17 10:32:36.505 11241100x800000000000000089100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.503{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls\data.sqlite2023-01-17 10:32:36.503 11241100x800000000000000089099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.503{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\ls2023-01-17 10:32:36.503 11241100x800000000000000089098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.493{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\startupCache\urlCache-new.bin2023-01-17 10:32:36.493 23542300x800000000000000089097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.473{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-walMD5=82A4E8FE4BF13A94781CFC2C6D4CA537,SHA256=4A1425A5B47C18137B9C77E6EB992D7789310DD66676E9BB677745DED5DD6E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.473{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-walMD5=7325D5DA72E49297C78C818A7F3986BD,SHA256=DFEA5AF90EF2C623EC35B7396C0A11ED02F748245ADE067E00B7A3852BD91622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.473{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2023063715LCo7g%sCD7a%taadbea5s.sqlite-shmMD5=1FCFA9E2BB853478BC3346946307B35F,SHA256=3B23506941F8D0E8FC18B44BF2176593C1F86FBE1A068962EE7DE6665DC679FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.471{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite-shmMD5=FC27DCFE74D951744DE9E2BC98873918,SHA256=82DE474320A084E7FC2CA6E3E4849FBD5E21FB2695842051E672CE9AD3919FBD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.465{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3EB68F0C0D168C02D744650CFB91930419109BA82023-01-17 10:32:36.463 10341000x800000000000000089092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.463{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6F02-00000000B002}4948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.437{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-6E02-00000000B002}1804C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.431{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 11241100x800000000000000089089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.358{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.358{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CE5073260EE131E3A0C3D7B7083F71,SHA256=6D3D3F3E6806C073ADD8DB5EAC734F491F117EBCFE7CB7FD9EFC066C1C4C7A20,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000089087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.316{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000089086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.315{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000089085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.313{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.312{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.308{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000089082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.307{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000089081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.306{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000089080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.303{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000089079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.302{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.302{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.302{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000089076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.301{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000089075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.299{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000089074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.298{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000089073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.298{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000089072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.298{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000089071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.297{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000089070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:36.294{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-8C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000089069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:36.294{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-8C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000089068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.292{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000089067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.292{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000089066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.292{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000089065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.280{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.279{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000089063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.278{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000089062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:36.277{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.13499022295922759535C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000089061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:36.277{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.13499022295922759535C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000089060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.277{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000089059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.276{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000089058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:36.276{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.12.26635393C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000089057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.272{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000089056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:36.272{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000089055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.268{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000089054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.267{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000089053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.267{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000089052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.267{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000089051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.267{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000089050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.266{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000089049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.266{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000089048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.266{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000089047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.265{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000089046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.265{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000089045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.265{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000089044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.264{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000089043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.263{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000089042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.263{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000089041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.263{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000089040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.263{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000089039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.262{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000089038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.262{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000089037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.261{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000089036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.260{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000089035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.260{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000089034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.259{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000089033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.259{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000089032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.258{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000089031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.257{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000089030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.256{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000089029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.255{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000089028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.255{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000089027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.254{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000089026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.254{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000089025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.253{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000089024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.252{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000089023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.252{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.252{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.252{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.251{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.251{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000089018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.250{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000089017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.249{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000089016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.249{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000089015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.241{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000089014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.241{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.239{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.239{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.239{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.12.266353931\1556811637" -childID 9 -isForBrowser -prefsHandle 2252 -prefMapHandle 8632 -prefsLen 29955 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff85e6f2-00d9-4785-9e4f-5f8514eab892} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 8644 1793fb9bf58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000089010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.238{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.238{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.237{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.237{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.237{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.237{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.237{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.237{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.237{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.236{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.236{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.236{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.236{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.236{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.236{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.235{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.235{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.235{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.235{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.235{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.235{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.234{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.234{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.234{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.234{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.234{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000088984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:36.232{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.12.26635393C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000088983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.214{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local53821-false172.217.0.174mia09s16-in-f14.1e100.net443https 354300x800000000000000088982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.186{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49551-false172.217.0.174mia09s16-in-f14.1e100.net443https 354300x800000000000000088981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:34.063{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local53820-false172.217.5.2lga15s49-in-f2.1e100.net443https 23542300x800000000000000088980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.104{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=5AFD9269198D7912770F03076CFBFAF6,SHA256=2E927C51060DFFEECF201D6684963AA1C50FA7625EB591BC11FDEC40068939DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000088979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.095{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:32:24.361 11241100x800000000000000088978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.024{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FA89468F69FAC8E0EFEEB59ACF2778CF259CAD772023-01-17 10:32:36.024 354300x800000000000000069010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:36.249{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50340-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:37.452{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D808FF86010DD8DCCE3C88F3976AF2DC,SHA256=524D9E8E7EB53B12CC4444E3F4A9A945987BCB23E9F26582530764648D050A1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.914{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49569-false185.199.109.133cdn-185-199-109-133.github.com443https 354300x800000000000000089388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.905{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61680- 354300x800000000000000089387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.902{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61997- 23542300x800000000000000089386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.888{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=92196DF2790203E53C54927E3E7661DE,SHA256=7EEBBFDF6E90220750AD6122392DCE0B0AE6E38ACBEA93914EEE7F5D39CE86CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.887{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=EC6A5B1C5979FB80A4664DC26DD35CB3,SHA256=432B2A6CCD2E745BF0B119CA4AAA8317E73C243CC12C56E3A240A682FDD70D9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.790{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.790{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.789{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.788{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.788{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.788{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 22542200x800000000000000089378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.117{F172AD64-7935-63C6-6402-00000000B002}2296api.github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.115{F172AD64-7935-63C6-6402-00000000B002}2296api.github.com0140.82.112.5;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.114{F172AD64-7935-63C6-6402-00000000B002}2296api.github.com0::ffff:140.82.112.5;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.107{F172AD64-7935-63C6-6402-00000000B002}2296glb-db52c2cf8be544.github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.105{F172AD64-7935-63C6-6402-00000000B002}2296glb-db52c2cf8be544.github.com0140.82.112.21;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.103{F172AD64-7935-63C6-6402-00000000B002}2296collector.github.com0type: 5 glb-db52c2cf8be544.github.com;::ffff:140.82.112.21;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.780{F172AD64-7935-63C6-6402-00000000B002}2296raw.githubusercontent.com02606:50c0:8000::154;2606:50c0:8001::154;2606:50c0:8002::154;2606:50c0:8003::154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.778{F172AD64-7935-63C6-6402-00000000B002}2296raw.githubusercontent.com0185.199.110.133;185.199.111.133;185.199.108.133;185.199.109.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.777{F172AD64-7935-63C6-6402-00000000B002}2296raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.539{F172AD64-7935-63C6-6402-00000000B002}2296avatars.githubusercontent.com02606:50c0:8003::154;2606:50c0:8000::154;2606:50c0:8001::154;2606:50c0:8002::154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.538{F172AD64-7935-63C6-6402-00000000B002}2296avatars.githubusercontent.com0185.199.111.133;185.199.108.133;185.199.109.133;185.199.110.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.536{F172AD64-7935-63C6-6402-00000000B002}2296avatars.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.480{F172AD64-7935-63C6-6402-00000000B002}2296github.githubassets.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.478{F172AD64-7935-63C6-6402-00000000B002}2296github.githubassets.com0185.199.109.154;185.199.110.154;185.199.111.154;185.199.108.154;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000089364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.676{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.675{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06528A6F72AE77EC92D581F4F4E0C80B,SHA256=262440CB8FDFF00977DB3E4ADA7C13601ACB29721ADD50F3320127162E0CFC4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.674{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.674{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D845CE5D017D8D6AF701A88CBF3831,SHA256=34DF79959F0E71683CBD2BD41AEDCED63F834E9081193674CC483879ECD560AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.693{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49567-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000089359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.692{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49566-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000089358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.692{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49564-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000089357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.692{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49568-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000089356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.692{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49565-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000089355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.687{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49563-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000089354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.666{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50703- 354300x800000000000000089353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.665{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52323- 354300x800000000000000089352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.663{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62111- 354300x800000000000000089351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.619{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52839- 354300x800000000000000089350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.618{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53074- 354300x800000000000000089349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.615{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49561-false185.199.108.154cdn-185-199-108-154.github.com443https 354300x800000000000000089348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.615{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49560-false185.199.108.154cdn-185-199-108-154.github.com443https 354300x800000000000000089347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49562-false185.199.108.154cdn-185-199-108-154.github.com443https 354300x800000000000000089346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49559-false185.199.108.154cdn-185-199-108-154.github.com443https 354300x800000000000000089345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49558-false185.199.108.154cdn-185-199-108-154.github.com443https 354300x800000000000000089344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49557-false185.199.108.154cdn-185-199-108-154.github.com443https 354300x800000000000000089343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.606{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54818- 354300x800000000000000089342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.606{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50695- 354300x800000000000000089341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.602{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65489- 354300x800000000000000089340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.203{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49556-false10.0.1.12-8000- 354300x800000000000000089339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49555-false140.82.114.3lb-140-82-114-3-iad.github.com443https 734700x800000000000000089338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.511{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000089337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.510{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000089336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.508{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.507{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.504{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000089333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.502{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000089332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.502{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000089331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.499{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000089330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.498{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.498{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.498{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000089327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.496{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000089326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.494{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000089325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.494{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000089324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.494{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000089323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.493{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000089322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.493{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000089321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:37.490{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-9C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000089320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:37.490{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-9C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000089319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.488{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000089318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.488{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000089317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.488{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000089316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.476{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.474{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000089314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.474{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000089313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:37.473{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.1838845059835345129C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000089312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:37.473{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.1838845059835345129C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000089311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.473{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000089310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.472{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000089309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:37.472{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.13.164895434C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000089308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.468{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000089307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:32:37.468{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000089306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.464{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000089305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.463{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000089304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.463{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000089303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.463{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000089302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.462{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000089301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.462{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000089300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.462{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000089299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.462{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000089298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.461{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000089297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.461{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000089296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.460{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000089295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.460{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000089294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.459{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000089293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.459{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000089292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.458{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000089291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.458{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000089290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.458{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000089289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.458{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000089288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.456{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000089287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.456{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000089286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.455{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000089285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.455{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000089284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.455{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000089283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.454{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000089282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.454{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000089281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.452{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000089280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.451{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000089279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.451{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000089278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.451{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000089277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.450{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000089276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.450{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000089275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.450{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000089274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.448{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000089273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.448{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000089272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.447{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000089271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.447{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000089270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.447{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000089269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.447{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.441{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.441{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.441{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.441{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.441{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.440{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.440{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.13.1648954348\981709095" -childID 10 -isForBrowser -prefsHandle 8508 -prefMapHandle 5216 -prefsLen 29955 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f98d940d-aeda-4c66-805a-ff75f50372a8} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 4568 1793c78f958 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000089261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.439{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.439{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.439{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.439{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.439{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.439{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.438{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.438{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.438{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.438{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.438{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.438{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.437{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.437{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.437{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.437{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.437{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.437{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.436{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.436{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.436{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.436{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.436{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.436{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.435{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.435{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000089235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:37.434{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.13.164895434C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000089234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.315{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D4D1C137AC2DED0484211730F16655FE2672EB302023-01-17 10:32:37.315 11241100x800000000000000089233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.172{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9E010DB97DA58D0F0EAAEBCD26509E8D3C9B33E62023-01-17 10:32:37.172 11241100x800000000000000089232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.147{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.147{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA890E19DF4193BE8564DA7CEF68C5A,SHA256=2B13687D8F0294F5621E60DD448A7C79F75CD07E790AA0E0A604604E0C5F5DFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:35.165{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51801- 11241100x800000000000000089229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.088{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB552023-01-17 10:32:37.087 11241100x800000000000000089228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.075{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FF4FA6D964A9B855A994A2D7E5FCA61ABD42FA092023-01-17 10:32:37.074 10341000x800000000000000089227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.055{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.055{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.055{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.054{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.054{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.054{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000089221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C5171D6ECD8D6303B9454E23E6D080A5053149492023-01-17 10:32:37.041 11241100x800000000000000089220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.034{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DDD14E801519662E6CDC8D93BF82E32CEC5471B02023-01-17 10:32:37.033 11241100x800000000000000089219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.032{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\75DC655E787722B41E3A1E713B2D525F13E7F72F2023-01-17 10:32:37.031 11241100x800000000000000089218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.023{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D6364A716C5714F509AA1CBDFBF46441621D17A72023-01-17 10:32:37.023 11241100x800000000000000089217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.007{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DA7994A7A04B5F7996A61CFC33CE0CEFE95C7D432023-01-17 10:32:37.007 11241100x800000000000000089216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.999{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F83A6F6118E868AF1DB91BF8B46ABB467D3A10CC2023-01-17 10:32:36.999 23542300x800000000000000069011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:38.565{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3271167BD3837B85A303B53BFBA316EC,SHA256=EC3BAE41EC1F2FD202C6B300A24FF067FA82D2A46E92A48B063123F56F400DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.968{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=8A16CA56555CE49FC323E9CAB25BD479,SHA256=DF54B4D60B355E0500F759CF800D12C52CCEF66D80F02F2BA7A53D2F729FA292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.965{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=A0660775EE1F5D068212207596340B86,SHA256=B835A1669E9D7AE385FAE20E44373BA38C625DD0C36C5B537D664D45A00619CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.790{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.789{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000089411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.789{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000089410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.704{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.704{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F152F45D8B7631951FBDF98EBCB86087,SHA256=BF7BDABFC5BA28B1F8955CCBCC8367F3AC310104913F43A56D614AE7E44C8BFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.254{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49571-false140.82.112.5lb-140-82-112-5-iad.github.com443https 354300x800000000000000089407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.244{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49570-false140.82.112.21lb-140-82-112-21-iad.github.com443https 354300x800000000000000089406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.243{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51369- 354300x800000000000000089405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.242{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62011- 11241100x800000000000000089404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.597{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\53A589DF39B98355035DE14C9D24CDB58C5307222023-01-17 10:32:38.597 11241100x800000000000000089403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.597{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\179986A67DE738EDD3DA7EDF83D4BAACDE59E5AD2023-01-17 10:32:38.595 11241100x800000000000000089402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.595{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6AC9BD0802E051FCD579CC69A96979DE29682F3D2023-01-17 10:32:38.595 11241100x800000000000000089401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.595{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C863284CDA7F859EB300BED16DBCEF9517F18242023-01-17 10:32:38.594 11241100x800000000000000089400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.594{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0734246260C3200AD97D93643F56DC7A405E2AEA2023-01-17 10:32:38.594 11241100x800000000000000089399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.593{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C3B1E58ACEF35E5DE22AA24F592CF43B56323E12023-01-17 10:32:38.593 11241100x800000000000000089398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.593{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\67FA364673709B2531102838492206F0C3153D8C2023-01-17 10:32:38.593 11241100x800000000000000089397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.593{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C2023-01-17 10:32:38.592 10341000x800000000000000089396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.369{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.369{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.369{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.369{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.368{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:38.368{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000089390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.232{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55823- 11241100x800000000000000089438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.723{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.723{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC9CA6BC83ACED5561F8341D702AEDE,SHA256=E1B05C2E662CA6B49D503D5E251B0B1483FD5DD8D17B7051360C0BA1B1614ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:39.663{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17782C2E7BCD40C3D468B8345B001B79,SHA256=B44A90493F1BC7EA2465E2AB123B751C028E07A2CC099B138D5AF2BA19E62543,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.647{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local51375- 354300x800000000000000089435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.647{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local61984- 354300x800000000000000089434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.646{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local61974- 354300x800000000000000089433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.622{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61984- 354300x800000000000000089432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.622{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51375- 354300x800000000000000089431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.621{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61974- 354300x800000000000000089430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:36.621{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50356- 23542300x800000000000000089429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.635{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=D7FB1E043F775058D2AEA790CD3F290C,SHA256=57739CC359211E7C1E3C12FD597E6766B48356533BC5280E61BA31CC522F04FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.628{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\usage2023-01-17 10:32:39.627 11241100x800000000000000089427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\usage-journal2023-01-17 10:32:39.627 11241100x800000000000000089426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.624{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journal2023-01-17 10:32:39.602 23542300x800000000000000089425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.624{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=408CB1290CE0B4CF65EB95E3B2A1BDE1,SHA256=BDAE638CDDCC404D7E6906E3030177C254EDAC746EBC9228DB100C114F8E9483,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.616{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journal2023-01-17 10:32:39.602 23542300x800000000000000089423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.616{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=B2A30920A6066A5AE547AE45C1C8998B,SHA256=7376F24DAC9A2FF01E72E3C8B63CB8E961AF080822530BB209AD42B83D61745D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.610{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journal2023-01-17 10:32:39.602 23542300x800000000000000089421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.610{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=92CCC8EB49DA78D20D18A0DE0FBC3DF7,SHA256=B53117FE6F908862EA3302D83A21D3F9DFAD542407BCA0E003EDDF5DA1B1C27E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.602{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journal2023-01-17 10:32:39.602 11241100x800000000000000089419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.601{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite2023-01-17 10:32:39.601 11241100x800000000000000089418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.601{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls2023-01-17 10:32:39.601 11241100x800000000000000089417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.598{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\.metadata-v2-tmp2023-01-17 10:32:39.598 11241100x800000000000000089416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:39.597{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com2023-01-17 10:32:39.597 11241100x800000000000000089443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:40.821{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:40.820{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A599D9F6B46F92B772983954C217DB,SHA256=7F82ABAFF9A138AB9BE3DDA0BA93EE0155941689E9D7034851A5F32C5F7AED8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:40.756{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9C93EF23A494DA053077E479AA795,SHA256=FA688D08F329D3C34AFA6C4A7B9B3D4A15ADB572AC49B11461A4C8D3E58E76B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:37.699{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63646- 23542300x800000000000000089440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:40.165{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journalMD5=D89F26712907D6F378EDB8E8636BFB00,SHA256=C4D4044C73806646011C74ECE5500368D684120CF5509C4602C0D02F2D864922,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:40.159{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journal2023-01-17 10:32:23.983 11241100x800000000000000089461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.926{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.926{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1756209B3E1B3CD37519A217B45FDDE,SHA256=E889A1364665BB7EA551E1928746CCE64757EE2D4A230A68AAA039A2B937382B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.905{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=BD940FED8157B42A4B826FB4CE6F439E,SHA256=807BFE480EC01EF894E6C52B47B1BFD10A8CF4B3D05BA25E82CEB6E14293A661,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.898{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\usage2023-01-17 10:32:41.892 11241100x800000000000000089457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.892{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\usage-journal2023-01-17 10:32:41.892 11241100x800000000000000089456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.890{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite-journal2023-01-17 10:32:41.864 23542300x800000000000000089455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.890{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=B1C2DC42B0467377C0E706D4BD19322C,SHA256=7F752DA15DA71B6677451BDFAC0F530D01CDC57D791A0BDB91BCEAA84E40B95C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite-journal2023-01-17 10:32:41.864 23542300x800000000000000089453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.882{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=34B2FECAA06717AE310018F8B33DC7A1,SHA256=E8DF5123B49E7C2CBB56E2CDD43EEA88D243EF0645CE3A43EC16732930D0592B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.874{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite-journal2023-01-17 10:32:41.864 23542300x800000000000000089451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.874{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite-journalMD5=C8BEB292ACF3D31E0616D52DB9CA369E,SHA256=B3249A75E0E03886C6C534744401778D4FA3A4E90980055046959EFE4A21100C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.866{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite-journal2023-01-17 10:32:41.864 11241100x800000000000000089449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.864{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls\data.sqlite2023-01-17 10:32:41.864 11241100x800000000000000089448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.864{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\ls2023-01-17 10:32:41.864 11241100x800000000000000089447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.860{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com\.metadata-v2-tmp2023-01-17 10:32:41.860 11241100x800000000000000089446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.860{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++github.com2023-01-17 10:32:41.860 23542300x800000000000000069014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:41.773{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31490194FBA65A76CB97442D16147530,SHA256=A5B405C83F74DE75A66C037575A099804BF8B2E4D20CE0A4F15B81F3F4706845,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.511{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0595C267C3048BDA383FE4FDF91DB6A12281DE5A2023-01-17 10:32:41.511 11241100x800000000000000089444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:41.459{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\324DF071CECFF205E513A14FB6FE3E2EDC07F55C2023-01-17 10:32:41.459 23542300x800000000000000069015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:42.888{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE72A47CDC8CF277E2F3165E234D307,SHA256=9AFD47DA62EF244B0AE9C3F3D428C32895EAB150137582796B8B3C86579987F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:42.944{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:42.944{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F280029BCD4A39101A986A967C48720,SHA256=798944194A44947714CB5FA08B5AF98A6E408702BC477233566E7528480153A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:40.327{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49572-false10.0.1.12-8000- 11241100x800000000000000089463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:42.569{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:32:42.569 11241100x800000000000000089462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:42.516{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\43688113f74fa7232023-01-17 10:32:42.516 23542300x800000000000000069017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:43.988{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAD9FCA950F8EFB8FC7E9A7D9B2C9AC,SHA256=B8A244D3C08244D41EFAAA1A3623EDD0B5C44DF82C54975F067383468382B92F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:42.160{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50341-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000089468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:43.950{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:43.950{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517A8645E16B2E8C78C7F9FF8BA0326E,SHA256=97C72601817B6356D0D96976007CD6AD1D844E014E4E3AC848BBB79DF5DF21F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.961{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.959{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAEC94B51A677DC87FF671D6E629F32,SHA256=8353E1E83EC9A2C2F3EC8DD8368B1C37E9BFE20A1E4500058C4F030A58AA6951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:44.505{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=04DAB0AE874BA3A648D13B31ED64CE2D,SHA256=2F0E93B24DF597F3C51CA9BCE0E302C6D69C344435DEBD2EED78488AD24952B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.569{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\4c09e0a37b0c06f52023-01-17 10:32:44.569 11241100x800000000000000089475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.565{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CD3DA7E77BDAA4996D8818937EF98ED46CDE984F2023-01-17 10:32:44.565 11241100x800000000000000089474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.467{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8BEEFEDEB8E2314E4F18C358D5DE166BC2D53C5B2023-01-17 10:32:44.467 11241100x800000000000000089473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.412{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\94A5D812AB8FFF641A05D8B6D0BABF473EC024862023-01-17 10:32:44.411 11241100x800000000000000089472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.343{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\138299FDEF8143105BF66A960D7AA5D4A41353922023-01-17 10:32:44.343 11241100x800000000000000089471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.293{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\466282F3853C6FEA2CA254587D7E9E6BDA55E1E22023-01-17 10:32:44.293 11241100x800000000000000089470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.255{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CF6430701106C0ABABABB32B705CDDC6D56213462023-01-17 10:32:44.255 11241100x800000000000000089469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:44.020{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BEA3594D151611AC9D577F5C85339C0DF037F53E2023-01-17 10:32:44.020 23542300x800000000000000069019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:45.083{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA64B5F3746D4E62215EF1B619640F0,SHA256=E8723BD66169EA4059C6790C6940E7A385A7EF1B5EDA3B130F8DC0F9C7FEF9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:45.873{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=ACCE605EFDA5D89CCD1B6E2E6557B5A9,SHA256=6CFBDC73093706CCC33D7EC9177B16CA145510073B2FB314CBA7274C5FF94DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:46.288{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A520BEC698ECEC9EC22CB9578DADAF3,SHA256=ABA5260F0EA7F584F58AA4853C5280E24F96EF144CB13E21BB02B38DD01F897A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:46.167{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:46.167{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7EB281A67EE4067A0D672F6BA3F618,SHA256=FA74FD80E8FC46AFEEC15C8B7ED45EA1F9ED1D31B721D62448D2D36D4BAFB6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:47.372{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D073A306BA6FB2672838232E209F13D,SHA256=2DD76136648B5E2BCAA153131AD7B3B1573BB304BBE01AF83CC49893A7EFCF14,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.914{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\c4e4674f34106eee2023-01-17 10:32:47.914 10341000x800000000000000089493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.672{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+f6d8c2|C:\Program Files\Mozilla Firefox\xul.dll+b87a13|C:\Program Files\Mozilla Firefox\xul.dll+252ddf|C:\Program Files\Mozilla Firefox\xul.dll+252b6a|C:\Program Files\Mozilla Firefox\xul.dll+f8a3dd|C:\Program Files\Mozilla Firefox\xul.dll+fe417d|C:\Program Files\Mozilla Firefox\xul.dll+f470b5|C:\Program Files\Mozilla Firefox\xul.dll+f46c86|C:\Program Files\Mozilla Firefox\xul.dll+1a0b6ed|C:\Program Files\Mozilla Firefox\xul.dll+1bc1d51|C:\Program Files\Mozilla Firefox\xul.dll+fd66c8|C:\Program Files\Mozilla Firefox\xul.dll+fd6535|C:\Program Files\Mozilla Firefox\xul.dll+fd5cff|C:\Program Files\Mozilla Firefox\xul.dll+fd57a9|C:\Program Files\Mozilla Firefox\xul.dll+fd5603|C:\Program Files\Mozilla Firefox\xul.dll+fd678d|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e 734700x800000000000000089492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x800000000000000089491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.653{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 734700x800000000000000089490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.646{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 734700x800000000000000089489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.637{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 11241100x800000000000000089488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.578{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\dnSpy-net-win32.zip2023-01-17 10:32:47.578 11241100x800000000000000089487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.574{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\gdS9m5jE.zip.part2023-01-17 10:32:47.572 23542300x800000000000000089486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.574{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\gdS9m5jE.zip.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.572{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\gdS9m5jE.zip.part2023-01-17 10:32:47.572 11241100x800000000000000089484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.572{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\gdS9m5jE.zip2023-01-17 10:32:47.572 11241100x800000000000000089483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.176{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.174{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF15F820F6BD6387F0B9E0454040C02,SHA256=AAAA16851E65857046961A2C8101CDCAE2A2E9DA7D86D2B0A598ED74D646E102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:48.471{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC300262B4CC97C48292E69F25D97F5,SHA256=9F87AA7834205044F753025502BD4A97752503CBAD94FD02AE413E6AFE8BF8A8,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000089536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.946{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348C,IMPHASH=C93A45A26AACEA8208AA325C281035F0trueMicrosoft WindowsValid 734700x800000000000000089535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.942{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x800000000000000089534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.942{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2,IMPHASH=F5D44AC1D5D2912F6B871FE7D5604CEDtrueMicrosoft WindowsValid 734700x800000000000000089533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.944{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000089532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.944{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000089531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.942{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x800000000000000089530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.925{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52,IMPHASH=B062C097D0B3B0DCCA3ECC898B231E28trueMicrosoft WindowsValid 734700x800000000000000089529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41,IMPHASH=EE821B7DB352A29DF6636AEB059E4519trueMicrosoft WindowsValid 734700x800000000000000089528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.909{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msisip.dll5.0.14393.4704 (rs1_release.211004-1917)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=E05D3AEDC7E9A28DB9CE81C0C4D5DF91,SHA256=E57F53A4ADADE83595524BE8821C726882ABF0BA748471D3F4F502F4D8CDAECC,IMPHASH=9990E8AE89385588C988664086E258E7trueMicrosoft WindowsValid 734700x800000000000000089527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.914{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 354300x800000000000000089526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:46.533{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49574-false185.199.109.133cdn-185-199-109-133.github.com443https 354300x800000000000000089525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:46.525{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53947- 354300x800000000000000089524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:46.524{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63332- 11241100x800000000000000089523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.400{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.398{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A7238B4DF6520BFE195866BC7E3FEE,SHA256=B935AFAB92D255284C3FB20AF51A819398DFF3A90A6A33DE1E2E399891963474,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.202{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.198{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.193{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.192{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.192{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x800000000000000089516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.189{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:32:48.189 10341000x800000000000000089515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.185{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.181{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.179{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.177{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.172{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x800000000000000089510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:46.198{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49573-false10.0.1.12-8000- 10341000x800000000000000089509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.161{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.157{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.150{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.143{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.135{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.105{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x800000000000000089503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.098{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:48.097 23542300x800000000000000089502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.098{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.097{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:48.097 10341000x800000000000000089500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.094{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.087{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.079{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.072{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.030{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.028{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000069023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:49.563{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C02A29DB4C4814DB3E804B359003CB5,SHA256=7CE2463D0E27A67C4DD23893E60DE76B204AEFFE6BB05F0C5B0FDDA419C145B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:49.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0ABD42065B9EB5959100DD787637D5829958BA4B2023-01-17 10:32:49.900 11241100x800000000000000089540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:49.516{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:49.516{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E5121DFA499C0A39A59E33606ECC03,SHA256=CC8E69B74E212A0DD441294DB0C36AF92774A2F701C790C7275D2A579CDD55A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:49.121{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\downloads.json.tmp2023-01-17 10:32:49.121 734700x800000000000000089537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.948{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\EsdSip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying .esd Electronic Software Distribution filesMicrosoft® Windows® Operating SystemMicrosoft CorporationESDSIP.DLLMD5=CDF191FF99AF7729029F5E098FF7D819,SHA256=53A7D390A146F888AF5FE3F1EF3859ECC58D9E0EA3AE27FDDF281CE14691568D,IMPHASH=E47F6D532615E6E31018F6C5A9EA62C1trueMicrosoft WindowsValid 23542300x800000000000000069025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:50.651{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26078F18D9FD5F13349A3322381FFA0C,SHA256=941467361D53B7C4213F97330138C2996D904709C1702384420DD38EC0088515,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.628{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.628{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E247AF8F7299F6D34111AEB3B4C5EF,SHA256=4A4964471F23139F0A76B5ECB1096430017B93C15B58932C261BE650F79B6BB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.588{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.586{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 15241500x800000000000000089564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.567{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\dnSpy-net-win32.zip:Zone.Identifier2023-01-17 10:32:47.572MD5=E8504929AAC46C4DB4FE01A4D4AB8C5D,SHA256=54E3D84465DC0CBF6845D9D7AB75A3309A5D3731736199441C4E81B3D166A987,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://github.com/dnSpy/dnSpy/releases HostUrl=https://objects.githubusercontent.com/github-production-release-asset-2e65be/38380854/47937380-38d4-11eb-9587-3bc3f454fd09?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230117%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230117T103247Z&X-Amz-Expires=300&X-Amz-Signature=192f1f058fd87307aff6e0cbe5416bdfaeb59254213c8ce9bf370eb7d073ffc4&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=38380854&response-content-disposition=attachment%3B%20filename%3DdnSpy-net-win32.zip&response-content-type=application%2Foctet-stream 11241100x800000000000000089563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.566{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\dnSpy-net-win32.zip:Zone.Identifier2023-01-17 10:32:47.572 15241500x800000000000000089562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:49.910{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\dnSpy-net-win32.zip2023-01-17 10:32:47.572MD5=F6FE2BD46F091E4C7494F8DF876D6C9D,SHA256=3CB7340B5B0B250A5B8D6CBF45BEE4355BE09C9A4D4FE2B2FAC9ABD5C7B95EFD,IMPHASH=00000000000000000000000000000000- 354300x800000000000000069024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:48.114{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50342-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000089561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.408{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.408{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.407{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000089558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.982{F172AD64-7935-63C6-6402-00000000B002}2296sb-ssl.l.google.com02607:f8b0:4009:807::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.961{F172AD64-7935-63C6-6402-00000000B002}2296sb-ssl.l.google.com0172.217.2.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.960{F172AD64-7935-63C6-6402-00000000B002}2296sb-ssl.google.com0type: 5 sb-ssl.l.google.com;::ffff:172.217.2.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.398{F172AD64-7935-63C6-6402-00000000B002}2296objects.githubusercontent.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.397{F172AD64-7935-63C6-6402-00000000B002}2296objects.githubusercontent.com0185.199.110.133;185.199.111.133;185.199.108.133;185.199.109.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000089553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:47.396{F172AD64-7935-63C6-6402-00000000B002}2296objects.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000089552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.400{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000089551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.392{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000089550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.390{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000089549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.388{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000089548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.386{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000089547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.382{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000089546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.377{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.226{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.224{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.217{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.207{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x800000000000000089618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.972{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.972{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CC6DCC1857A0CA6BE6E68E1561AAD0,SHA256=C8905DDFB4903956DE1E9C25EB25289934C724E3AC078A09FCF4F8A9EDC864F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.971{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000089615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.971{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=38B0E70CA05727D0AF3A3233B3DADC7D,SHA256=90EC4A7327E93854A4204E07A9104E020467476D5E4C716DC6F64704A33F0FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:51.861{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C1BAA30FC28A8B810E7C0281C3C0CF,SHA256=6C981BC723A156913816CA5AE8ABDBF7AA1761A5607E2546B92730470515CADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.409{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DE134BF4CBB74254964EDEF57535C414,SHA256=9A18E2D6BE52F2A145754A39AFAC7C0611E1102361BA633F6E2959D211869DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.405{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\downloads.jsonMD5=B45425A8D8BC9E98206FA67D0924863C,SHA256=A3776ECE05BCF947765564874EBF8EC6739D4E61880EAB7C14927609A233F4B6,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000089612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.339{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 10341000x800000000000000089611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.262{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.259{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.257{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.253{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.251{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.248{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.245{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.242{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.239{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.232{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.230{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.212{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.204{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.203{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.202{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.201{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.198{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.197{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.196{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.195{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.180{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x800000000000000089590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:49.025{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61109-false172.217.2.46ord37s52-in-f14.1e100.net443https 354300x800000000000000089589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.161{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49576-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000089588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:48.106{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49575-false172.217.2.46ord37s52-in-f14.1e100.net443https 10341000x800000000000000089587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.170{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.168{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 17141700x800000000000000089585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:32:51.154{F172AD64-7634-63C6-B901-00000000B002}4900\UIA_PIPE_4900_000072cfC:\Windows\Explorer.EXE 10341000x800000000000000089584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.132{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.126{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.113{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.108{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.107{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.104{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.102{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.099{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.097{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.096{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.094{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.093{F172AD64-7640-63C6-CB01-00000000B002}61966280C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000089572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.029{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.017{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x800000000000000089570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.015{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x800000000000000089569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:51.007{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sxs.dll10.0.14393.5582 (rs1_release.221130-1719)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=F2A8CD581B7D437C69B57A11C3C45E5D,SHA256=43CE351FE5BBF22128A1A60EC5BE4C70B0BC1496AD276FF04A484F7B86921B0A,IMPHASH=1CD4F5164C272A4717A58FD86B640C54trueMicrosoft WindowsValid 11241100x800000000000000089619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:52.305{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F17A2DBF87EBD25FC37EE6D1EEFF66DBFE9AF30A2023-01-17 10:32:52.305 11241100x800000000000000089624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:53.467{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-17 09:40:52.407 23542300x800000000000000089623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:53.467{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=19FF5EB4E2B41837BC694EF2CBB99D29,SHA256=EF9F93AF953A6F60FB9C2B28F2D5C27A00681CDBE08C45F9FF69BF918B278F26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:50.049{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49448- 11241100x800000000000000089621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:53.161{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:53.161{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F6AE9F90991EA62ADB9A107482D47B,SHA256=280E58F45E9539AE4082103E77E1AB5140988D00FF0A8316086C025B4202355D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.518{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.507{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.473{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.456{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.452{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.418{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.407{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.388{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.381{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.378{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.373{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.367{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.364{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.362{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.361{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.358{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.358{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.356{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.354{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.352{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.348{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.343{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.340{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.323{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.319{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.303{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.239{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.229{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.215{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.204{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.195{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.179{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.162{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.143{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000069029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.117{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 23542300x800000000000000069028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.056{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E3053F16DABCE51CB4296AEE312062,SHA256=45E1E0385ADC37BB81AD4ACB69454E6A5E60D07877D3EA35C0EA97A6319D7DC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:53.025{F6EEFE7F-6CEF-63C6-0D00-00000000B102}7644104C:\Windows\system32\svchost.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.542{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:48.097 23542300x800000000000000089669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.540{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.540{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:48.097 11241100x800000000000000089667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.524{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.524{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34D128BADDDEEBCA411A40A3DDAE878,SHA256=C9F239FD903A97300DD77FE2446BC834C934AC40F69C790B841F8790216266B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:54.261{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E50DE573EA0328FAF2D86B24BEC6FAF,SHA256=03897264386CC95C400CF381E4D9D804A167860A0268A1FB0CEE0372606D3D95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.095{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.095{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.095{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.094{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.094{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.094{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.093{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.093{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.093{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.093{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.091{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.091{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.091{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.091{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.090{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.090{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.090{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.090{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.090{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.089{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.089{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.089{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.089{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.087{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.085{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.085{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.084{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.083{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.083{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.083{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.083{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.083{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:54.083{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.602{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.602{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F69EC251928DB79C82875CE3B6A1C59,SHA256=5F73D4B6D4E753D0C3AB38B438826BF1880373775B939A3DC9B3B2E07A28C649,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000089681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.538{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 23542300x800000000000000069069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:55.365{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED1DA0345583CD230DD16B2E7E22A41,SHA256=095B55BF6CA70645D9D139BE951CE25100574D0757259CCB0603C9AA68003938,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000089680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:32:55.487{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B8CDCB65-B1BF-4B42-9428-1DFDB7EE92AF} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 734700x800000000000000089679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.481{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20,IMPHASH=D1267CC8F49B54A66A0034D2C4452E93trueMicrosoft WindowsValid 10341000x800000000000000089678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.480{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.480{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.479{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6A,IMPHASH=52DBB027F849F4DB11CB3C2B56C0E9FBtrueMicrosoft WindowsValid 10341000x800000000000000089675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.479{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.478{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.473{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:55.471{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000089671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:52.157{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49577-false10.0.1.12-8000- 11241100x800000000000000089688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:56.811{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:56.811{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC6483F073A981BCC43607C410FE7A1,SHA256=BF3E2EFCF21079179B887E0F2811D2A923C0BFC5B13ACD594DB0CCA313300C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:56.448{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C355B1B1322186415506FA5D096D1DF,SHA256=83F9E5236E103C45734AE152AB6DD27680AAA47225BF26B6F204BD0A06AC181E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:56.151{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:48.097 23542300x800000000000000089685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:56.151{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:56.149{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:48.097 354300x800000000000000069071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:54.020{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50343-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000069070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:56.002{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000069073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:57.560{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4C67896FC8E368B0B0486805004EE0,SHA256=14535D358D433CCE3CB4E0007415E77102FE8B088D7E4972770150FC6D02C214,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:57.815{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:57.815{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C529B43FF690C6BD7337B02A76DAD0,SHA256=785084B872CA979095C0DEEEA357D18DF86A6859118104849C28293EF4235E35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:57.572{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:32:57.572 11241100x800000000000000089961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.988{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationCore.dll2023-01-17 10:32:58.988 11241100x800000000000000089960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.986{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PenImc_cor3.dll2023-01-17 10:32:58.986 11241100x800000000000000089959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.984{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Ookii.Dialogs.Wpf.dll2023-01-17 10:32:58.983 11241100x800000000000000089958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.982{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\netstandard.dll2023-01-17 10:32:58.982 11241100x800000000000000089957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.981{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\mscorrc.dll2023-01-17 10:32:58.980 11241100x800000000000000089956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.979{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\mscorlib.dll2023-01-17 10:32:58.979 11241100x800000000000000089955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.969{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\mscordbi.dll2023-01-17 10:32:58.969 11241100x800000000000000089954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.958{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\mscordaccore_x86_x86_5.0.20.51904.dll2023-01-17 10:32:58.958 11241100x800000000000000089953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.947{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\mscordaccore.dll2023-01-17 10:32:58.947 11241100x800000000000000089952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.946{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Mono.Debugger.Soft.pdb2023-01-17 10:32:58.946 11241100x800000000000000089951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.944{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Mono.Debugger.Soft.dll2023-01-17 10:32:58.944 11241100x800000000000000089950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.943{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.SystemEvents.dll2023-01-17 10:32:58.942 11241100x800000000000000089949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.940{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Registry.dll2023-01-17 10:32:58.940 11241100x800000000000000089948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.940{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Registry.AccessControl.dll2023-01-17 10:32:58.939 11241100x800000000000000089947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.939{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Primitives.dll2023-01-17 10:32:58.939 11241100x800000000000000089946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.938{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Validation.dll2023-01-17 10:32:58.938 11241100x800000000000000089945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.936{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.UI.Wpf.dll2023-01-17 10:32:58.936 11241100x800000000000000089944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.934{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.UI.dll2023-01-17 10:32:58.934 11241100x800000000000000089943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.933{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.Logic.dll2023-01-17 10:32:58.933 11241100x800000000000000089942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.931{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.Data.dll2023-01-17 10:32:58.931 11241100x800000000000000089941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.929{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Language.Intellisense.dll2023-01-17 10:32:58.929 11241100x800000000000000089940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.928{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.CoreUtility.dll2023-01-17 10:32:58.928 11241100x800000000000000089939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.927{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Composition.NetFxAttributes.dll2023-01-17 10:32:58.927 11241100x800000000000000089938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.923{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Composition.dll2023-01-17 10:32:58.923 11241100x800000000000000089937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.921{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualBasic.Forms.dll2023-01-17 10:32:58.921 11241100x800000000000000089936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.920{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualBasic.dll2023-01-17 10:32:58.920 11241100x800000000000000089935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.908{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualBasic.Core.dll2023-01-17 10:32:58.908 11241100x800000000000000089934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.903{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.903{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5443BAE4AF3D1F24789FFEE8196D808,SHA256=AF34618CF284D1B7D19212BBBC4E33DEC853FC8B219BA0E7322BAC48591C2074,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.896{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.DiaSymReader.Native.x86.dll2023-01-17 10:32:58.896 11241100x800000000000000089931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.883{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.882{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9595F6F7C9E451FDAD618FD8E122002,SHA256=BDAE2BDFD0F54CC54F69094A27BA248618973160AE30A74714B81D641F371D0A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.879{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.DiaSymReader.Native.amd64.dll2023-01-17 10:32:58.879 11241100x800000000000000089928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.870{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.Diagnostics.Runtime.dll2023-01-17 10:32:58.870 11241100x800000000000000089927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.858{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CSharp.dll2023-01-17 10:32:58.858 11241100x800000000000000089926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.832{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Workspaces.dll2023-01-17 10:32:58.832 23542300x800000000000000069074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:58.671{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B13CB2A4DBE560BFB21FED03049F25,SHA256=FA705A11E03C301004C42035299EA0CB2971F863CE170AC94196C5E1AB071A99,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.823{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.Workspaces.dll2023-01-17 10:32:58.823 11241100x800000000000000089924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.813{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.Features.dll2023-01-17 10:32:58.813 11241100x800000000000000089923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.812{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.pdb2023-01-17 10:32:58.812 11241100x800000000000000089922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.810{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.dll2023-01-17 10:32:58.810 11241100x800000000000000089921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.755{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.dll2023-01-17 10:32:58.755 11241100x800000000000000089920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.753{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Scripting.dll2023-01-17 10:32:58.753 11241100x800000000000000089919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.729{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Features.dll2023-01-17 10:32:58.729 11241100x800000000000000089918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.727{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.pdb2023-01-17 10:32:58.727 11241100x800000000000000089917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.727{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.dll2023-01-17 10:32:58.727 11241100x800000000000000089916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.696{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.dll2023-01-17 10:32:58.696 11241100x800000000000000089915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.689{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Workspaces.dll2023-01-17 10:32:58.689 11241100x800000000000000089914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.688{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Scripting.dll2023-01-17 10:32:58.688 11241100x800000000000000089913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.678{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Features.dll2023-01-17 10:32:58.678 11241100x800000000000000089912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.676{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.pdb2023-01-17 10:32:58.676 11241100x800000000000000089911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.674{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.dll2023-01-17 10:32:58.674 11241100x800000000000000089910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.622{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.dll2023-01-17 10:32:58.622 11241100x800000000000000089909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.622{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.TreeView.pdb2023-01-17 10:32:58.622 11241100x800000000000000089908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.620{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.TreeView.dll2023-01-17 10:32:58.620 11241100x800000000000000089907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.618{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.VB.pdb2023-01-17 10:32:58.618 11241100x800000000000000089906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.616{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.VB.dll2023-01-17 10:32:58.616 11241100x800000000000000089905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.614{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.pdb2023-01-17 10:32:58.614 11241100x800000000000000089904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.610{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.dll2023-01-17 10:32:58.610 11241100x800000000000000089903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.608{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.CSharp.pdb2023-01-17 10:32:58.608 11241100x800000000000000089902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.602{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.CSharp.dll2023-01-17 10:32:58.600 11241100x800000000000000089901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.598{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.Decompiler.pdb2023-01-17 10:32:58.598 11241100x800000000000000089900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.593{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.Decompiler.dll2023-01-17 10:32:58.592 11241100x800000000000000089899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.578{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Iced.dll2023-01-17 10:32:58.578 11241100x800000000000000089898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.576{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Humanizer.dll2023-01-17 10:32:58.576 11241100x800000000000000089897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.572{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hostpolicy.dll2023-01-17 10:32:58.572 11241100x800000000000000089896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.566{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hostfxr.dll2023-01-17 10:32:58.566 11241100x800000000000000089895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.566{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.pdb2023-01-17 10:32:58.566 11241100x800000000000000089894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.564{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.dll2023-01-17 10:32:58.564 11241100x800000000000000089893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.562{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.deps.json2023-01-17 10:32:58.562 11241100x800000000000000089892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.562{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.runtimeconfig.json2023-01-17 10:32:58.562 11241100x800000000000000089891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.562{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.xml2023-01-17 10:32:58.562 11241100x800000000000000089890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.560{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.Internal.pdb2023-01-17 10:32:58.560 11241100x800000000000000089889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.560{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.Internal.dll2023-01-17 10:32:58.560 11241100x800000000000000089888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.558{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.pdb2023-01-17 10:32:58.558 11241100x800000000000000089887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.558{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.dll2023-01-17 10:32:58.558 11241100x800000000000000089886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.556{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.pdb2023-01-17 10:32:58.556 11241100x800000000000000089885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.554{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.Internal.pdb2023-01-17 10:32:58.554 11241100x800000000000000089884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.554{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.Internal.dll2023-01-17 10:32:58.554 11241100x800000000000000089883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.552{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.EditorFeatures.pdb2023-01-17 10:32:58.552 11241100x800000000000000089882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.550{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.EditorFeatures.dll2023-01-17 10:32:58.550 11241100x800000000000000089881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.542{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.dll2023-01-17 10:32:58.542 11241100x800000000000000089880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.542{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.Internal.pdb2023-01-17 10:32:58.542 11241100x800000000000000089879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.542{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.Internal.dll2023-01-17 10:32:58.540 11241100x800000000000000089878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.540{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.EditorFeatures.pdb2023-01-17 10:32:58.540 11241100x800000000000000089877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.540{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.EditorFeatures.dll2023-01-17 10:32:58.540 11241100x800000000000000089876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.520{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.pdb2023-01-17 10:32:58.520 11241100x800000000000000089875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.518{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Images.pdb2023-01-17 10:32:58.518 11241100x800000000000000089874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.514{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Images.dll2023-01-17 10:32:58.514 11241100x800000000000000089873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.484{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.dll2023-01-17 10:32:58.483 11241100x800000000000000089872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.481{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.deps.json2023-01-17 10:32:58.481 11241100x800000000000000089871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.479{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.pdb2023-01-17 10:32:58.477 11241100x800000000000000089870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.475{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.pdb2023-01-17 10:32:58.475 11241100x800000000000000089869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.475{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.dll2023-01-17 10:32:58.475 11241100x800000000000000089868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.473{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.deps.json2023-01-17 10:32:58.473 11241100x800000000000000089867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.473{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.Core.pdb2023-01-17 10:32:58.473 11241100x800000000000000089866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.471{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.Core.dll2023-01-17 10:32:58.471 11241100x800000000000000089865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.467{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.dll2023-01-17 10:32:58.467 11241100x800000000000000089864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.463{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.pdb2023-01-17 10:32:58.463 11241100x800000000000000089863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.449{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.dll2023-01-17 10:32:58.449 11241100x800000000000000089862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.448{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.deps.json2023-01-17 10:32:58.448 11241100x800000000000000089861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.446{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.pdb2023-01-17 10:32:58.446 11241100x800000000000000089860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.442{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.dll2023-01-17 10:32:58.442 11241100x800000000000000089859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.440{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.deps.json2023-01-17 10:32:58.440 11241100x800000000000000089858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.434{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.pdb2023-01-17 10:32:58.434 11241100x800000000000000089857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.431{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.dll2023-01-17 10:32:58.430 11241100x800000000000000089856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.430{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.deps.json2023-01-17 10:32:58.429 11241100x800000000000000089855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.428{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.xml2023-01-17 10:32:58.427 11241100x800000000000000089854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.425{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.pdb2023-01-17 10:32:58.425 11241100x800000000000000089853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.421{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.dll2023-01-17 10:32:58.421 11241100x800000000000000089852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.420{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.xml2023-01-17 10:32:58.420 11241100x800000000000000089851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.420{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.pdb2023-01-17 10:32:58.419 11241100x800000000000000089850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.418{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.dll2023-01-17 10:32:58.418 11241100x800000000000000089849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.415{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.pdb2023-01-17 10:32:58.415 11241100x800000000000000089848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.408{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.dll2023-01-17 10:32:58.408 11241100x800000000000000089847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.408{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.deps.json2023-01-17 10:32:58.407 11241100x800000000000000089846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.406{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.xml2023-01-17 10:32:58.406 11241100x800000000000000089845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.405{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.pdb2023-01-17 10:32:58.405 11241100x800000000000000089844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.402{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.dll2023-01-17 10:32:58.402 11241100x800000000000000089843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.393{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.xml2023-01-17 10:32:58.393 11241100x800000000000000089842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.389{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.pdb2023-01-17 10:32:58.389 10341000x800000000000000089841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.384{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.384{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.384{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.383{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.383{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000089836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.383{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000089835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.380{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.dll2023-01-17 10:32:58.380 11241100x800000000000000089834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.373{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.xml2023-01-17 10:32:58.373 11241100x800000000000000089833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.373{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.pdb2023-01-17 10:32:58.373 11241100x800000000000000089832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.373{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.xml2023-01-17 10:32:58.373 11241100x800000000000000089831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.372{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.pdb2023-01-17 10:32:58.372 11241100x800000000000000089830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.372{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.xml2023-01-17 10:32:58.371 11241100x800000000000000089829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.371{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.pdb2023-01-17 10:32:58.371 11241100x800000000000000089828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.369{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.dll2023-01-17 10:32:58.369 11241100x800000000000000089827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.368{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.dll2023-01-17 10:32:58.367 11241100x800000000000000089826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.366{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.xml2023-01-17 10:32:58.366 11241100x800000000000000089825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.366{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.pdb2023-01-17 10:32:58.365 11241100x800000000000000089824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.365{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.dll2023-01-17 10:32:58.365 11241100x800000000000000089823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.362{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.dll2023-01-17 10:32:58.362 11241100x800000000000000089822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.362{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.runtimeconfig.json2023-01-17 10:32:58.362 11241100x800000000000000089821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.361{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.pdb2023-01-17 10:32:58.361 11241100x800000000000000089820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.359{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000089819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.359{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBEFB13E5884837F4C6077AE67FF9A0,SHA256=983F56F8B32613732BC9D1DEA90C31981113760506E3725CD7B9A5737BACE141,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.357{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.dll2023-01-17 10:32:58.357 11241100x800000000000000089817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.357{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.deps.json2023-01-17 10:32:58.348 11241100x800000000000000089816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.348{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.pdb2023-01-17 10:32:58.348 11241100x800000000000000089815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.344{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.dll2023-01-17 10:32:58.344 11241100x800000000000000089814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.344{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.deps.json2023-01-17 10:32:58.344 11241100x800000000000000089813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.338{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.pdb2023-01-17 10:32:58.338 11241100x800000000000000089812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.324{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.dll2023-01-17 10:32:58.324 11241100x800000000000000089811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.322{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.deps.json2023-01-17 10:32:58.322 11241100x800000000000000089810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.322{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.pdb2023-01-17 10:32:58.320 11241100x800000000000000089809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.318{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.dll2023-01-17 10:32:58.318 11241100x800000000000000089808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.318{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.deps.json2023-01-17 10:32:58.316 11241100x800000000000000089807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.306{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dnlib.dll2023-01-17 10:32:58.306 11241100x800000000000000089806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.300{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\DirectWriteForwarder.dll2023-01-17 10:32:58.300 11241100x800000000000000089805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.298{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\dbgshim.dll2023-01-17 10:32:58.298 11241100x800000000000000089804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.259{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\D3DCompiler_47_cor3.dll2023-01-17 10:32:58.259 11241100x800000000000000089803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.257{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\CSharpInteractive.rsp2023-01-17 10:32:58.257 11241100x800000000000000089802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.257{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\createdump.exe2023-01-17 10:32:58.257 11241100x800000000000000089801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.209{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\coreclr.dll2023-01-17 10:32:58.209 11241100x800000000000000089800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.194{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\clrjit.dll2023-01-17 10:32:58.194 11241100x800000000000000089799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.192{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\clretwrc.dll2023-01-17 10:32:58.192 11241100x800000000000000089798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.184{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\clrcompression.dll2023-01-17 10:32:58.183 11241100x800000000000000089797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.183{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-utility-l1-1-0.dll2023-01-17 10:32:58.181 11241100x800000000000000089796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.179{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-time-l1-1-0.dll2023-01-17 10:32:58.179 11241100x800000000000000089795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.179{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-string-l1-1-0.dll2023-01-17 10:32:58.179 11241100x800000000000000089794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.177{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-stdio-l1-1-0.dll2023-01-17 10:32:58.177 11241100x800000000000000089793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.177{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-runtime-l1-1-0.dll2023-01-17 10:32:58.177 11241100x800000000000000089792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.175{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-process-l1-1-0.dll2023-01-17 10:32:58.175 11241100x800000000000000089791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.175{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-private-l1-1-0.dll2023-01-17 10:32:58.173 11241100x800000000000000089790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.173{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-17 10:32:58.173 11241100x800000000000000089789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.173{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-math-l1-1-0.dll2023-01-17 10:32:58.173 11241100x800000000000000089788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.171{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-locale-l1-1-0.dll2023-01-17 10:32:58.169 10341000x800000000000000089787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.171{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.171{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.171{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.171{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.169{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.169{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.169{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-heap-l1-1-0.dll2023-01-17 10:32:58.169 10341000x800000000000000089780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.169{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.167{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-17 10:32:58.167 11241100x800000000000000089778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.167{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-environment-l1-1-0.dll2023-01-17 10:32:58.167 11241100x800000000000000089777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.167{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-convert-l1-1-0.dll2023-01-17 10:32:58.165 11241100x800000000000000089776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.165{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-crt-conio-l1-1-0.dll2023-01-17 10:32:58.165 11241100x800000000000000089775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.163{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\API-MS-Win-core-xstate-l2-1-0.dll2023-01-17 10:32:58.163 11241100x800000000000000089774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.163{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-util-l1-1-0.dll2023-01-17 10:32:58.163 10341000x800000000000000089773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.163{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.163{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-timezone-l1-1-0.dll2023-01-17 10:32:58.163 10341000x800000000000000089771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.161{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.161{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-sysinfo-l1-1-0.dll2023-01-17 10:32:58.161 11241100x800000000000000089769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.159{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-synch-l1-2-0.dll2023-01-17 10:32:58.159 10341000x800000000000000089768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.159{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.159{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-synch-l1-1-0.dll2023-01-17 10:32:58.159 10341000x800000000000000089766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.159{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.159{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.159{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000089763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.157{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-string-l1-1-0.dll2023-01-17 10:32:58.157 11241100x800000000000000089762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.157{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-rtlsupport-l1-1-0.dll2023-01-17 10:32:58.157 11241100x800000000000000089761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.157{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-profile-l1-1-0.dll2023-01-17 10:32:58.157 11241100x800000000000000089760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.155{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-processthreads-l1-1-1.dll2023-01-17 10:32:58.155 11241100x800000000000000089759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.153{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-processthreads-l1-1-0.dll2023-01-17 10:32:58.153 11241100x800000000000000089758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.153{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-processenvironment-l1-1-0.dll2023-01-17 10:32:58.153 11241100x800000000000000089757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.153{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-namedpipe-l1-1-0.dll2023-01-17 10:32:58.151 11241100x800000000000000089756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.151{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-memory-l1-1-0.dll2023-01-17 10:32:58.151 11241100x800000000000000089755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.151{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-localization-l1-2-0.dll2023-01-17 10:32:58.149 11241100x800000000000000089754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.149{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-libraryloader-l1-1-0.dll2023-01-17 10:32:58.149 11241100x800000000000000089753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.149{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-interlocked-l1-1-0.dll2023-01-17 10:32:58.149 11241100x800000000000000089752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.149{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-heap-l1-1-0.dll2023-01-17 10:32:58.147 11241100x800000000000000089751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.147{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-handle-l1-1-0.dll2023-01-17 10:32:58.147 11241100x800000000000000089750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.147{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-file-l2-1-0.dll2023-01-17 10:32:58.147 11241100x800000000000000089749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.145{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-file-l1-2-0.dll2023-01-17 10:32:58.145 734700x800000000000000089748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.097{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 11241100x800000000000000089747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.145{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-file-l1-1-0.dll2023-01-17 10:32:58.145 11241100x800000000000000089746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.145{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-errorhandling-l1-1-0.dll2023-01-17 10:32:58.145 11241100x800000000000000089745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.143{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-debug-l1-1-0.dll2023-01-17 10:32:58.143 11241100x800000000000000089744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.143{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-datetime-l1-1-0.dll2023-01-17 10:32:58.143 11241100x800000000000000089743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.143{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-console-l1-2-0.dll2023-01-17 10:32:58.141 11241100x800000000000000089742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.139{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\api-ms-win-core-console-l1-1-0.dll2023-01-17 10:32:58.139 11241100x800000000000000089741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.139{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Accessibility.dll2023-01-17 10:32:58.139 11241100x800000000000000089740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.139{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin2023-01-17 10:32:58.137 734700x800000000000000089739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.137{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000089738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.137{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x800000000000000089737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.136{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.097{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000089735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.131{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x800000000000000089734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.130{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000089733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.123{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.123{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000089731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.123{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7z.dll22.017z Plugin7-ZipIgor Pavlov7z.dllMD5=BBF51226A8670475F283A2D57460D46C,SHA256=73578F14D50F747EFA82527A503F1AD542F9DB170E2901EDDB54D6BCE93FC00E,IMPHASH=4A683D6F78CDDF7C7CDA44D5A4669025false-Unavailable 10341000x800000000000000089730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.121{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.121{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.096{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x800000000000000089727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.121{F172AD64-6CE8-63C6-1000-00000000B002}3566744C:\Windows\system32\svchost.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.121{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000089725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.119{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000089724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.111{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000089723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.109{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000089722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.109{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000089721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.109{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000089720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.109{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000089719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.107{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000089718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.107{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000089717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.107{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000089716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.107{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000089715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.107{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000089714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.105{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000089713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.105{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000089712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.105{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000089711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.105{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000089710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.097{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000089709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.097{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000089708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.097{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000089707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.097{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000089706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.097{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000089705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.096{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000089704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.096{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000089703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.096{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x800000000000000089702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.094{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000089701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.094{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000089700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.093{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000089699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.093{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exeMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7false-Unavailable 10341000x800000000000000089698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.093{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.093{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.092{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.092{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.092{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.092{F172AD64-7634-63C6-B901-00000000B002}49006368C:\Windows\Explorer.EXE{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x800000000000000089692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.091{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\" -an -ai#7zMap19276:108:7zEvent26135C:\Windows\system32\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 11241100x800000000000000090154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.996{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.Primitives.dll2023-01-17 10:32:59.995 11241100x800000000000000090153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.907{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.dll2023-01-17 10:32:59.907 11241100x800000000000000090152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.907{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.Design.Editors.dll2023-01-17 10:32:59.907 11241100x800000000000000090151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.877{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.Design.dll2023-01-17 10:32:59.877 11241100x800000000000000090150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.875{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.Extensions.dll2023-01-17 10:32:59.875 11241100x800000000000000090149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.875{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.dll2023-01-17 10:32:59.875 11241100x800000000000000090148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.863{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.Controls.Ribbon.dll2023-01-17 10:32:59.863 11241100x800000000000000090147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.863{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Web.HttpUtility.dll2023-01-17 10:32:59.863 11241100x800000000000000090146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.861{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Web.dll2023-01-17 10:32:59.861 11241100x800000000000000090145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.861{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ValueTuple.dll2023-01-17 10:32:59.861 11241100x800000000000000090144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.857{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Transactions.Local.dll2023-01-17 10:32:59.857 11241100x800000000000000090143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.855{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Transactions.dll2023-01-17 10:32:59.855 11241100x800000000000000090142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.855{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.Timer.dll2023-01-17 10:32:59.855 11241100x800000000000000090141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.853{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.ThreadPool.dll2023-01-17 10:32:59.853 11241100x800000000000000090140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.853{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.Thread.dll2023-01-17 10:32:59.853 11241100x800000000000000090139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.851{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.Parallel.dll2023-01-17 10:32:59.851 11241100x800000000000000090138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.851{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.Extensions.dll2023-01-17 10:32:59.851 11241100x800000000000000090137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.851{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.dll2023-01-17 10:32:59.851 11241100x800000000000000090136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.845{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.Dataflow.dll2023-01-17 10:32:59.845 11241100x800000000000000090135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.845{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.Overlapped.dll2023-01-17 10:32:59.845 11241100x800000000000000090134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.843{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.dll2023-01-17 10:32:59.843 11241100x800000000000000090133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.841{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.Channels.dll2023-01-17 10:32:59.841 11241100x800000000000000090132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.841{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Threading.AccessControl.dll2023-01-17 10:32:59.841 11241100x800000000000000090131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.835{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Text.RegularExpressions.dll2023-01-17 10:32:59.835 11241100x800000000000000090130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.827{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Text.Json.dll2023-01-17 10:32:59.827 11241100x800000000000000090129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.825{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Text.Encodings.Web.dll2023-01-17 10:32:59.825 11241100x800000000000000090128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.825{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Text.Encoding.Extensions.dll2023-01-17 10:32:59.824 11241100x800000000000000090127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.824{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Text.Encoding.dll2023-01-17 10:32:59.824 11241100x800000000000000090126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.815{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Text.Encoding.CodePages.dll2023-01-17 10:32:59.815 11241100x800000000000000090125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.815{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ServiceProcess.dll2023-01-17 10:32:59.815 11241100x800000000000000090124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.814{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ServiceModel.Web.dll2023-01-17 10:32:59.814 11241100x800000000000000090123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.813{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.SecureString.dll2023-01-17 10:32:59.813 11241100x800000000000000090122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.811{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Principal.Windows.dll2023-01-17 10:32:59.811 11241100x800000000000000090121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.811{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Principal.dll2023-01-17 10:32:59.810 11241100x800000000000000090120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.809{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Permissions.dll2023-01-17 10:32:59.809 11241100x800000000000000090119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.808{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.dll2023-01-17 10:32:59.808 11241100x800000000000000090118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.804{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Xml.dll2023-01-17 10:32:59.804 11241100x800000000000000090117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.799{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.X509Certificates.dll2023-01-17 10:32:59.799 11241100x800000000000000090116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.798{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.ProtectedData.dll2023-01-17 10:32:59.798 11241100x800000000000000090115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.796{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Primitives.dll2023-01-17 10:32:59.796 11241100x800000000000000090114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.787{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Pkcs.dll2023-01-17 10:32:59.787 11241100x800000000000000090113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.786{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.OpenSsl.dll2023-01-17 10:32:59.786 11241100x800000000000000090112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.784{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Encoding.dll2023-01-17 10:32:59.784 11241100x800000000000000090111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.782{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Csp.dll2023-01-17 10:32:59.782 11241100x800000000000000090110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.777{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Cng.dll2023-01-17 10:32:59.777 11241100x800000000000000090109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.771{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Algorithms.dll2023-01-17 10:32:59.771 11241100x800000000000000090108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.769{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.Claims.dll2023-01-17 10:32:59.769 11241100x800000000000000090107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.767{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Security.AccessControl.dll2023-01-17 10:32:59.767 11241100x800000000000000090106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.766{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Xml.dll2023-01-17 10:32:59.766 11241100x800000000000000090105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.765{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Primitives.dll2023-01-17 10:32:59.765 11241100x800000000000000090104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.764{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Json.dll2023-01-17 10:32:59.764 11241100x800000000000000090103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.760{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Formatters.dll2023-01-17 10:32:59.760 11241100x800000000000000090102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.760{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.dll2023-01-17 10:32:59.760 11241100x800000000000000090101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.757{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Numerics.dll2023-01-17 10:32:59.757 11241100x800000000000000090100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.756{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Loader.dll2023-01-17 10:32:59.756 11241100x800000000000000090099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.755{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Intrinsics.dll2023-01-17 10:32:59.755 11241100x800000000000000090098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.755{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.InteropServices.RuntimeInformation.dll2023-01-17 10:32:59.754 11241100x800000000000000090097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.753{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.InteropServices.dll2023-01-17 10:32:59.753 11241100x800000000000000090096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.753{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Handles.dll2023-01-17 10:32:59.753 11241100x800000000000000090095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.752{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Extensions.dll2023-01-17 10:32:59.752 11241100x800000000000000090094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.751{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.dll2023-01-17 10:32:59.751 11241100x800000000000000090093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.750{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.CompilerServices.VisualC.dll2023-01-17 10:32:59.750 11241100x800000000000000090092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.750{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Runtime.CompilerServices.Unsafe.dll2023-01-17 10:32:59.749 11241100x800000000000000090091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.749{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Resources.Writer.dll2023-01-17 10:32:59.748 11241100x800000000000000090090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.748{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Resources.ResourceManager.dll2023-01-17 10:32:59.748 11241100x800000000000000090089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.747{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Resources.Reader.dll2023-01-17 10:32:59.747 11241100x800000000000000090088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.745{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Resources.Extensions.dll2023-01-17 10:32:59.745 11241100x800000000000000090087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.743{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.TypeExtensions.dll2023-01-17 10:32:59.743 11241100x800000000000000090086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.741{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Primitives.dll2023-01-17 10:32:59.741 11241100x800000000000000090085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.732{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Metadata.dll2023-01-17 10:32:59.732 11241100x800000000000000090084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.731{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Extensions.dll2023-01-17 10:32:59.731 11241100x800000000000000090083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.730{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.Lightweight.dll2023-01-17 10:32:59.730 11241100x800000000000000090082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.729{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.ILGeneration.dll2023-01-17 10:32:59.729 11241100x800000000000000090081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.729{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.dll2023-01-17 10:32:59.728 11241100x800000000000000090080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.728{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.dll2023-01-17 10:32:59.728 11241100x800000000000000090079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.726{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Reflection.DispatchProxy.dll2023-01-17 10:32:59.726 11241100x800000000000000090078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.722{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Private.Xml.Linq.dll2023-01-17 10:32:59.722 11241100x800000000000000090077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.651{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Private.Xml.dll2023-01-17 10:32:59.651 11241100x800000000000000090076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.648{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Private.Uri.dll2023-01-17 10:32:59.648 11241100x800000000000000090075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.631{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Private.DataContractSerialization.dll2023-01-17 10:32:59.631 11241100x800000000000000090074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.549{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll2023-01-17 10:32:59.549 11241100x800000000000000090073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.541{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Printing.dll2023-01-17 10:32:59.541 11241100x800000000000000090072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.540{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ObjectModel.dll2023-01-17 10:32:59.540 11241100x800000000000000090071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.539{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Numerics.Vectors.dll2023-01-17 10:32:59.539 11241100x800000000000000090070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.538{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Numerics.dll2023-01-17 10:32:59.538 11241100x800000000000000090069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.537{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.WebSockets.dll2023-01-17 10:32:59.537 11241100x800000000000000090068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.535{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.WebSockets.Client.dll2023-01-17 10:32:59.535 11241100x800000000000000090067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.535{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.WebProxy.dll2023-01-17 10:32:59.534 11241100x800000000000000090066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.533{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.WebHeaderCollection.dll2023-01-17 10:32:59.533 11241100x800000000000000090065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.532{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.WebClient.dll2023-01-17 10:32:59.531 11241100x800000000000000090064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.526{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.Sockets.dll2023-01-17 10:32:59.526 11241100x800000000000000090063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.525{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.ServicePoint.dll2023-01-17 10:32:59.525 11241100x800000000000000090062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.519{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.Security.dll2023-01-17 10:32:59.519 11241100x800000000000000090061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.516{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.Requests.dll2023-01-17 10:32:59.516 11241100x800000000000000090060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.513{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.Primitives.dll2023-01-17 10:32:59.513 11241100x800000000000000090059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.512{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.Ping.dll2023-01-17 10:32:59.512 11241100x800000000000000090058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.510{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.NetworkInformation.dll2023-01-17 10:32:59.510 11241100x800000000000000090057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.508{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.NameResolution.dll2023-01-17 10:32:59.508 11241100x800000000000000090056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.503{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.Mail.dll2023-01-17 10:32:59.503 11241100x800000000000000090055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.497{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.HttpListener.dll2023-01-17 10:32:59.497 11241100x800000000000000090054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.496{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.Http.Json.dll2023-01-17 10:32:59.496 11241100x800000000000000090053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.480{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.Http.dll2023-01-17 10:32:59.480 11241100x800000000000000090052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.479{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Net.dll2023-01-17 10:32:59.479 11241100x800000000000000090051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.477{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Memory.dll2023-01-17 10:32:59.477 11241100x800000000000000090050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.475{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Linq.Queryable.dll2023-01-17 10:32:59.475 11241100x800000000000000090049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.466{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Linq.Parallel.dll2023-01-17 10:32:59.464 11241100x800000000000000090048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.436{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Linq.Expressions.dll2023-01-17 10:32:59.436 11241100x800000000000000090047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.432{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Linq.dll2023-01-17 10:32:59.432 11241100x800000000000000090046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.431{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.UnmanagedMemoryStream.dll2023-01-17 10:32:59.431 11241100x800000000000000090045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.430{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.Pipes.dll2023-01-17 10:32:59.430 11241100x800000000000000090044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.429{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.Pipes.AccessControl.dll2023-01-17 10:32:59.429 11241100x800000000000000090043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.426{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.Packaging.dll2023-01-17 10:32:59.426 11241100x800000000000000090042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.425{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.MemoryMappedFiles.dll2023-01-17 10:32:59.425 11241100x800000000000000090041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.424{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.IsolatedStorage.dll2023-01-17 10:32:59.424 11241100x800000000000000090040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.422{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.FileSystem.Watcher.dll2023-01-17 10:32:59.422 11241100x800000000000000090039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.422{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.FileSystem.Primitives.dll2023-01-17 10:32:59.422 11241100x800000000000000090038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.421{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.FileSystem.DriveInfo.dll2023-01-17 10:32:59.421 11241100x800000000000000090037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.418{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.FileSystem.dll2023-01-17 10:32:59.418 11241100x800000000000000090036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.417{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.FileSystem.AccessControl.dll2023-01-17 10:32:59.417 11241100x800000000000000090035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.416{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.dll2023-01-17 10:32:59.416 11241100x800000000000000090034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.415{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.Compression.ZipFile.dll2023-01-17 10:32:59.415 11241100x800000000000000090033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.415{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.Compression.FileSystem.dll2023-01-17 10:32:59.415 11241100x800000000000000090032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.412{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.Compression.dll2023-01-17 10:32:59.412 11241100x800000000000000090031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.411{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.IO.Compression.Brotli.dll2023-01-17 10:32:59.410 11241100x800000000000000090030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.410{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Globalization.Extensions.dll2023-01-17 10:32:59.410 11241100x800000000000000090029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.409{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Globalization.dll2023-01-17 10:32:59.409 11241100x800000000000000090028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.408{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Globalization.Calendars.dll2023-01-17 10:32:59.408 11241100x800000000000000090027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.406{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Formats.Asn1.dll2023-01-17 10:32:59.406 11241100x800000000000000090026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.406{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Dynamic.Runtime.dll2023-01-17 10:32:59.405 11241100x800000000000000090025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.404{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Primitives.dll2023-01-17 10:32:59.402 11241100x800000000000000090024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.402{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Drawing.dll2023-01-17 10:32:59.402 11241100x800000000000000090023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.402{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Design.dll2023-01-17 10:32:59.402 11241100x800000000000000090022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.394{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Common.dll2023-01-17 10:32:59.394 11241100x800000000000000090021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.393{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.dll2023-01-17 10:32:59.393 11241100x800000000000000090020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.384{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.DirectoryServices.dll2023-01-17 10:32:59.384 11241100x800000000000000090019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.383{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Tracing.dll2023-01-17 10:32:59.383 11241100x800000000000000090018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.382{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.TraceSource.dll2023-01-17 10:32:59.382 11241100x800000000000000090017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.381{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Tools.dll2023-01-17 10:32:59.381 11241100x800000000000000090016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.380{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.TextWriterTraceListener.dll2023-01-17 10:32:59.380 11241100x800000000000000090015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.379{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.StackTrace.dll2023-01-17 10:32:59.379 11241100x800000000000000090014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.376{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll2023-01-17 10:32:59.376 11241100x800000000000000090013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.373{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.PerformanceCounter.dll2023-01-17 10:32:59.373 11241100x800000000000000090012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.372{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.FileVersionInfo.dll2023-01-17 10:32:59.372 11241100x800000000000000090011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.369{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.EventLog.dll2023-01-17 10:32:59.369 11241100x800000000000000090010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.367{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.DiagnosticSource.dll2023-01-17 10:32:59.366 11241100x800000000000000090009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.366{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Debug.dll2023-01-17 10:32:59.366 11241100x800000000000000090008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.365{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Contracts.dll2023-01-17 10:32:59.365 11241100x800000000000000090007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.364{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Design.dll2023-01-17 10:32:59.364 11241100x800000000000000090006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.364{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Data.dll2023-01-17 10:32:59.363 11241100x800000000000000090005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.363{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Data.DataSetExtensions.dll2023-01-17 10:32:59.363 11241100x800000000000000090004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.339{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Data.Common.dll2023-01-17 10:32:59.337 11241100x800000000000000090003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.337{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Core.dll2023-01-17 10:32:59.337 11241100x800000000000000090002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.335{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Console.dll2023-01-17 10:32:59.335 11241100x800000000000000090001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.335{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Configuration.dll2023-01-17 10:32:59.335 11241100x800000000000000090000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.325{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Configuration.ConfigurationManager.dll2023-01-17 10:32:59.325 11241100x800000000000000089999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.325{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Composition.TypedParts.dll2023-01-17 10:32:59.325 11241100x800000000000000089998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.323{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Composition.Runtime.dll2023-01-17 10:32:59.323 11241100x800000000000000089997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.323{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Composition.Hosting.dll2023-01-17 10:32:59.323 11241100x800000000000000089996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.321{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Composition.Convention.dll2023-01-17 10:32:59.321 11241100x800000000000000089995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.321{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Composition.AttributedModel.dll2023-01-17 10:32:59.321 11241100x800000000000000089994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.315{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.TypeConverter.dll2023-01-17 10:32:59.315 11241100x800000000000000089993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.313{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Primitives.dll2023-01-17 10:32:59.313 11241100x800000000000000089992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.311{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.EventBasedAsync.dll2023-01-17 10:32:59.311 11241100x800000000000000089991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.309{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.dll2023-01-17 10:32:59.309 11241100x800000000000000089990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.309{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.DataAnnotations.dll2023-01-17 10:32:59.309 11241100x800000000000000089989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.305{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Composition.dll2023-01-17 10:32:59.305 11241100x800000000000000089988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.303{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Annotations.dll2023-01-17 10:32:59.303 11241100x800000000000000089987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.301{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Collections.Specialized.dll2023-01-17 10:32:59.301 11241100x800000000000000089986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.300{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\database_76D0_D90_D00D_582F\fsrtmp.log2023-01-16 13:14:26.471 11241100x800000000000000089985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.298{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Collections.NonGeneric.dll2023-01-17 10:32:59.298 11241100x800000000000000089984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.277{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Collections.Immutable.dll2023-01-17 10:32:59.277 11241100x800000000000000089983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.277{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Collections.dll2023-01-17 10:32:59.277 11241100x800000000000000089982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.276{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Collections.Concurrent.dll2023-01-17 10:32:59.276 11241100x800000000000000089981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.272{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.CodeDom.dll2023-01-17 10:32:59.270 11241100x800000000000000089980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.269{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Buffers.dll2023-01-17 10:32:59.269 11241100x800000000000000089979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.269{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.AppContext.dll2023-01-17 10:32:59.268 11241100x800000000000000089978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.253{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ReachFramework.dll2023-01-17 10:32:59.253 11241100x800000000000000089977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.242{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationUI.dll2023-01-17 10:32:59.242 11241100x800000000000000089976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.231{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationNative_cor3.dll2023-01-17 10:32:59.231 11241100x800000000000000089975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.231{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemXmlLinq.dll2023-01-17 10:32:59.230 11241100x800000000000000089974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.230{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemXml.dll2023-01-17 10:32:59.230 11241100x800000000000000089973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.229{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemDrawing.dll2023-01-17 10:32:59.229 11241100x800000000000000089972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.228{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemData.dll2023-01-17 10:32:59.228 11241100x800000000000000089971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.227{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemCore.dll2023-01-17 10:32:59.227 11241100x800000000000000089970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.224{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Royale.dll2023-01-17 10:32:59.224 11241100x800000000000000089969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.219{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Luna.dll2023-01-17 10:32:59.219 11241100x800000000000000089968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.095{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000089967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.095{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B99ACD68A5597F22B1A85F11763E589A,SHA256=CD0943BF26A2DBCA7B96EBA45D5C01F13F6BD628A2C92ABCB7F29860B65CEE78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000089966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.078{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.dll2023-01-17 10:32:59.078 11241100x800000000000000089965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.075{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Classic.dll2023-01-17 10:32:59.075 11241100x800000000000000089964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.073{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.AeroLite.dll2023-01-17 10:32:59.073 11241100x800000000000000089963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.069{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Aero2.dll2023-01-17 10:32:59.069 11241100x800000000000000089962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.065{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Aero.dll2023-01-17 10:32:59.065 23542300x800000000000000069076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:59.760{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFAA47EDB8E8273E3C01148F79EFDBF,SHA256=208BC4E21AE8FDF713A2BBEED089F9568A1B6FFD18DCAC14C0D3804B2FB6AC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:59.697{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49579-false142.250.190.138ord37s36-in-f10.1e100.net443https 354300x800000000000000090672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.956{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50076- 354300x800000000000000090671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.955{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51526- 354300x800000000000000090670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:58.953{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49805- 11241100x800000000000000090669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.660{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy.exe2023-01-17 10:33:00.660 11241100x800000000000000090668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.659{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy.Console.exe2023-01-17 10:33:00.659 11241100x800000000000000090667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.658{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.657 11241100x800000000000000090666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.657{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.657 11241100x800000000000000090665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.656{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.resources.dll2023-01-17 10:33:00.656 11241100x800000000000000090664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.655{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.655 11241100x800000000000000090663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.654{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.654 11241100x800000000000000090662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.654{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.653 11241100x800000000000000090661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.653{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.653 11241100x800000000000000090660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.652{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.652 11241100x800000000000000090659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.651{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.651 11241100x800000000000000090658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.651{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.651 11241100x800000000000000090657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.650{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.650 11241100x800000000000000090656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.649{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.649 11241100x800000000000000090655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.649{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Console.resources.dll2023-01-17 10:33:00.649 11241100x800000000000000090654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.648{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.648 11241100x800000000000000090653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.647{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.646 11241100x800000000000000090652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.646{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.646 11241100x800000000000000090651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.646{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\zh-CN2023-01-17 10:33:00.646 11241100x800000000000000090650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.645{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.637 11241100x800000000000000090649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.636{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.636 11241100x800000000000000090648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.635{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.resources.dll2023-01-17 10:33:00.635 11241100x800000000000000090647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.634{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.634 11241100x800000000000000090646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.634{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.634 11241100x800000000000000090645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.633{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.633 11241100x800000000000000090644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.632{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.632 11241100x800000000000000090643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.631{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.631 11241100x800000000000000090642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.631{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.630 11241100x800000000000000090641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.630{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.630 11241100x800000000000000090640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.629{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.629 11241100x800000000000000090639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.629{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.628 11241100x800000000000000090638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.628{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Console.resources.dll2023-01-17 10:33:00.628 11241100x800000000000000090637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.627{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.627 11241100x800000000000000090636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.626{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.625 11241100x800000000000000090635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.625{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.625 11241100x800000000000000090634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.625{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\uk2023-01-17 10:33:00.625 11241100x800000000000000090633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.624{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\WindowsFormsIntegration.resources.dll2023-01-17 10:33:00.623 11241100x800000000000000090632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.622{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\WindowsBase.resources.dll2023-01-17 10:33:00.622 11241100x800000000000000090631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.621{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\UIAutomationTypes.resources.dll2023-01-17 10:33:00.621 11241100x800000000000000090630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.620{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 11241100x800000000000000090629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.620{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\UIAutomationProvider.resources.dll2023-01-17 10:33:00.620 23542300x800000000000000090628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.620{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76931136280F2730B9F898CFC8B8D6F9,SHA256=816640FBBB742A60A01791E6B04BAB1FBC196C0C06B8FD0FCF7240DF069C8AE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.619{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\UIAutomationClientSideProviders.resources.dll2023-01-17 10:33:00.619 11241100x800000000000000090626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.618{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\UIAutomationClient.resources.dll2023-01-17 10:33:00.618 11241100x800000000000000090625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.617{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\System.Xaml.resources.dll2023-01-17 10:33:00.617 11241100x800000000000000090624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.616{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:33:00.616 11241100x800000000000000090623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.613{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\System.Windows.Forms.resources.dll2023-01-17 10:33:00.611 11241100x800000000000000090622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.611{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:33:00.611 11241100x800000000000000090621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.609{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\System.Windows.Forms.Design.resources.dll2023-01-17 10:33:00.609 11241100x800000000000000090620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.609{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:33:00.609 11241100x800000000000000090619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.608{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\ReachFramework.resources.dll2023-01-17 10:33:00.608 11241100x800000000000000090618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.607{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\PresentationUI.resources.dll2023-01-17 10:33:00.607 11241100x800000000000000090617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.605{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\PresentationFramework.resources.dll2023-01-17 10:33:00.605 11241100x800000000000000090616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.603{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\PresentationCore.resources.dll2023-01-17 10:33:00.603 11241100x800000000000000090615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.603{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:33:00.602 11241100x800000000000000090614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.601{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:33:00.601 11241100x800000000000000090613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.600{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:33:00.600 11241100x800000000000000090612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.599{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:33:00.599 11241100x800000000000000090611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.598{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:33:00.598 11241100x800000000000000090610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.596{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:33:00.595 11241100x800000000000000090609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.594{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:33:00.594 11241100x800000000000000090608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.594{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:33:00.593 11241100x800000000000000090607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.592{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:33:00.592 11241100x800000000000000090606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.591{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:33:00.590 11241100x800000000000000090605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.590{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:33:00.590 11241100x800000000000000090604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.589{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:33:00.589 11241100x800000000000000090603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.587{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:33:00.586 11241100x800000000000000090602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.586{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:33:00.586 11241100x800000000000000090601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.585{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.584 11241100x800000000000000090600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.584{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.584 11241100x800000000000000090599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.583{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.resources.dll2023-01-17 10:33:00.583 11241100x800000000000000090598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.582{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.582 11241100x800000000000000090597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.581{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.581 11241100x800000000000000090596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.581{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.581 11241100x800000000000000090595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.580{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.580 11241100x800000000000000090594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.579{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.579 11241100x800000000000000090593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.578{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.578 11241100x800000000000000090592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.577{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.577 11241100x800000000000000090591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.577{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.577 11241100x800000000000000090590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.576{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.576 11241100x800000000000000090589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.575{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Console.resources.dll2023-01-17 10:33:00.575 11241100x800000000000000090588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.575{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.574 11241100x800000000000000090587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.573{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.573 11241100x800000000000000090586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.572{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.572 11241100x800000000000000090585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.572{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\tr2023-01-17 10:33:00.572 11241100x800000000000000090584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.571{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Themes\light.dntheme2023-01-17 10:33:00.570 11241100x800000000000000090583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.569{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Themes\hc.dntheme2023-01-17 10:33:00.569 11241100x800000000000000090582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.568{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Themes\dark.dntheme2023-01-17 10:33:00.568 11241100x800000000000000090581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.568{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Themes\blue.dntheme2023-01-17 10:33:00.568 11241100x800000000000000090580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.567{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\Themes2023-01-17 10:33:00.567 11241100x800000000000000090579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.567{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\WindowsFormsIntegration.resources.dll2023-01-17 10:33:00.562 11241100x800000000000000090578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.561{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\WindowsBase.resources.dll2023-01-17 10:33:00.561 11241100x800000000000000090577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.560{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\UIAutomationTypes.resources.dll2023-01-17 10:33:00.560 11241100x800000000000000090576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.559{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\UIAutomationProvider.resources.dll2023-01-17 10:33:00.559 11241100x800000000000000090575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.559{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\UIAutomationClientSideProviders.resources.dll2023-01-17 10:33:00.559 11241100x800000000000000090574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.558{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\UIAutomationClient.resources.dll2023-01-17 10:33:00.558 11241100x800000000000000090573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.557{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\System.Xaml.resources.dll2023-01-17 10:33:00.557 11241100x800000000000000090572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.556{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:33:00.556 11241100x800000000000000090571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.553{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\System.Windows.Forms.resources.dll2023-01-17 10:33:00.551 11241100x800000000000000090570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.551{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:33:00.551 11241100x800000000000000090569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.549{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\System.Windows.Forms.Design.resources.dll2023-01-17 10:33:00.549 11241100x800000000000000090568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.548{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:33:00.548 11241100x800000000000000090567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.548{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\ReachFramework.resources.dll2023-01-17 10:33:00.547 11241100x800000000000000090566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.547{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\PresentationUI.resources.dll2023-01-17 10:33:00.546 11241100x800000000000000090565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.544{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\PresentationFramework.resources.dll2023-01-17 10:33:00.544 11241100x800000000000000090564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.543{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\PresentationCore.resources.dll2023-01-17 10:33:00.543 11241100x800000000000000090563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.542{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:33:00.541 11241100x800000000000000090562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.540{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:33:00.540 11241100x800000000000000090561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.540{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:33:00.540 11241100x800000000000000090560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.539{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:33:00.539 11241100x800000000000000090559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.538{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:33:00.538 11241100x800000000000000090558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.535{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:33:00.535 11241100x800000000000000090557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.534{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:33:00.534 11241100x800000000000000090556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.533{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:33:00.532 11241100x800000000000000090555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.531{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:33:00.531 11241100x800000000000000090554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.530{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:33:00.530 11241100x800000000000000090553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.529{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:33:00.529 11241100x800000000000000090552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.529{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:33:00.529 11241100x800000000000000090551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.526{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:33:00.526 11241100x800000000000000090550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.525{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:33:00.525 11241100x800000000000000090549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.524{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.524 11241100x800000000000000090548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.523{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.523 11241100x800000000000000090547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.522{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.resources.dll2023-01-17 10:33:00.522 11241100x800000000000000090546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.521{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.521 11241100x800000000000000090545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.521{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.521 11241100x800000000000000090544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.520{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.520 11241100x800000000000000090543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.519{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.519 11241100x800000000000000090542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.518{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.518 11241100x800000000000000090541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.518{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.518 11241100x800000000000000090540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.517{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.517 11241100x800000000000000090539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.516{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.516 11241100x800000000000000090538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.515{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.515 11241100x800000000000000090537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.515{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Console.resources.dll2023-01-17 10:33:00.515 11241100x800000000000000090536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.514{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.513 11241100x800000000000000090535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.512{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.512 11241100x800000000000000090534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.512{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.511 11241100x800000000000000090533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.511{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ru2023-01-17 10:33:00.511 11241100x800000000000000090532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.511{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.510 11241100x800000000000000090531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.509{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.509 11241100x800000000000000090530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.508{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.resources.dll2023-01-17 10:33:00.508 11241100x800000000000000090529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.508{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.508 11241100x800000000000000090528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.507{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.507 11241100x800000000000000090527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.506{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.506 11241100x800000000000000090526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.505{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.505 11241100x800000000000000090525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.505{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.505 11241100x800000000000000090524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.504{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.504 11241100x800000000000000090523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.503{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.503 11241100x800000000000000090522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.502{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.502 11241100x800000000000000090521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.502{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.502 11241100x800000000000000090520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.501{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Console.resources.dll2023-01-17 10:33:00.501 11241100x800000000000000090519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.500{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.499 11241100x800000000000000090518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.498{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.498 11241100x800000000000000090517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.498{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.498 11241100x800000000000000090516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.498{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-PT2023-01-17 10:33:00.497 11241100x800000000000000090515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.497{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\WindowsFormsIntegration.resources.dll2023-01-17 10:33:00.496 11241100x800000000000000090514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.495{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\WindowsBase.resources.dll2023-01-17 10:33:00.495 11241100x800000000000000090513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.494{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\UIAutomationTypes.resources.dll2023-01-17 10:33:00.494 11241100x800000000000000090512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.491{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\UIAutomationProvider.resources.dll2023-01-17 10:33:00.491 11241100x800000000000000090511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.490{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\UIAutomationClientSideProviders.resources.dll2023-01-17 10:33:00.490 11241100x800000000000000090510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.490{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\UIAutomationClient.resources.dll2023-01-17 10:33:00.490 11241100x800000000000000090509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.489{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\System.Xaml.resources.dll2023-01-17 10:33:00.488 11241100x800000000000000090508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.488{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:33:00.488 11241100x800000000000000090507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.485{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.485{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DED84E02C436815B691C360F34A7FC7,SHA256=199EEE087B75BE077D53E502D145BC563A50CBBC38650EB5562CFFF32DE70D75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.485{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\System.Windows.Forms.resources.dll2023-01-17 10:33:00.483 11241100x800000000000000090504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.482{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:33:00.482 11241100x800000000000000090503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.481{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\System.Windows.Forms.Design.resources.dll2023-01-17 10:33:00.480 11241100x800000000000000090502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.480{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:33:00.480 11241100x800000000000000090501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.479{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\ReachFramework.resources.dll2023-01-17 10:33:00.479 11241100x800000000000000090500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.478{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\PresentationUI.resources.dll2023-01-17 10:33:00.478 11241100x800000000000000090499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.476{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\PresentationFramework.resources.dll2023-01-17 10:33:00.476 11241100x800000000000000090498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.475{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\PresentationCore.resources.dll2023-01-17 10:33:00.474 11241100x800000000000000090497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.474{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:33:00.473 11241100x800000000000000090496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.472{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:33:00.472 11241100x800000000000000090495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.472{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:33:00.471 11241100x800000000000000090494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.471{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:33:00.471 11241100x800000000000000090493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.470{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:33:00.470 11241100x800000000000000090492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.467{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:33:00.467 11241100x800000000000000090491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.466{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:33:00.466 11241100x800000000000000090490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.465{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:33:00.464 11241100x800000000000000090489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.464{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:33:00.463 11241100x800000000000000090488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.462{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:33:00.462 11241100x800000000000000090487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.461{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:33:00.461 11241100x800000000000000090486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.460{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:33:00.460 11241100x800000000000000090485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.457{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:33:00.457 11241100x800000000000000090484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.457{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:33:00.457 11241100x800000000000000090483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.456{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.455 11241100x800000000000000090482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.454{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.454 11241100x800000000000000090481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.453{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.resources.dll2023-01-17 10:33:00.453 11241100x800000000000000090480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.452{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.452 11241100x800000000000000090479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.452{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.451 11241100x800000000000000090478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.451{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.451 11241100x800000000000000090477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.450{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.450 11241100x800000000000000090476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.449{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.449 11241100x800000000000000090475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.448{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.448 11241100x800000000000000090474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.447{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.447 11241100x800000000000000090473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.446{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.446 11241100x800000000000000090472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.446{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.446 11241100x800000000000000090471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.445{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Console.resources.dll2023-01-17 10:33:00.445 11241100x800000000000000090470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.444{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.443 11241100x800000000000000090469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.442{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.442 11241100x800000000000000090468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.441{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.441 11241100x800000000000000090467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.441{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\pt-BR2023-01-17 10:33:00.441 11241100x800000000000000090466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.440{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\OtherLicenses.txt2023-01-17 10:33:00.439 11241100x800000000000000090465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.439{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\LICENSE.txt2023-01-17 10:33:00.439 11241100x800000000000000090464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.438{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\GPLv3.txt2023-01-17 10:33:00.438 11241100x800000000000000090463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.437{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\CREDITS.txt2023-01-17 10:33:00.437 11241100x800000000000000090462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.437{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\ApacheV2.txt2023-01-17 10:33:00.437 11241100x800000000000000090461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.436{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\LicenseInfo2023-01-17 10:33:00.436 11241100x800000000000000090460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.436{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\WindowsFormsIntegration.resources.dll2023-01-17 10:33:00.434 11241100x800000000000000090459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.433{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\WindowsBase.resources.dll2023-01-17 10:33:00.433 11241100x800000000000000090458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.433{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\UIAutomationTypes.resources.dll2023-01-17 10:33:00.432 11241100x800000000000000090457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.432{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\UIAutomationProvider.resources.dll2023-01-17 10:33:00.432 11241100x800000000000000090456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.431{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\UIAutomationClientSideProviders.resources.dll2023-01-17 10:33:00.431 11241100x800000000000000090455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.430{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\UIAutomationClient.resources.dll2023-01-17 10:33:00.430 11241100x800000000000000090454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.429{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\System.Xaml.resources.dll2023-01-17 10:33:00.429 11241100x800000000000000090453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.428{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:33:00.428 11241100x800000000000000090452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.425{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\System.Windows.Forms.resources.dll2023-01-17 10:33:00.424 11241100x800000000000000090451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.423{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:33:00.423 11241100x800000000000000090450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.422{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\System.Windows.Forms.Design.resources.dll2023-01-17 10:33:00.422 11241100x800000000000000090449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.421{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:33:00.421 11241100x800000000000000090448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.420{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\ReachFramework.resources.dll2023-01-17 10:33:00.420 11241100x800000000000000090447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.419{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\PresentationUI.resources.dll2023-01-17 10:33:00.419 11241100x800000000000000090446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.417{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\PresentationFramework.resources.dll2023-01-17 10:33:00.417 11241100x800000000000000090445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.416{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\PresentationCore.resources.dll2023-01-17 10:33:00.416 11241100x800000000000000090444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.415{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:33:00.414 11241100x800000000000000090443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.414{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:33:00.414 11241100x800000000000000090442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.413{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:33:00.413 11241100x800000000000000090441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.412{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:33:00.412 11241100x800000000000000090440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.411{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:33:00.411 11241100x800000000000000090439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.409{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:33:00.409 11241100x800000000000000090438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.408{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:33:00.407 11241100x800000000000000090437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.407{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:33:00.406 11241100x800000000000000090436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.405{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:33:00.405 11241100x800000000000000090435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.404{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:33:00.404 11241100x800000000000000090434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.403{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:33:00.403 11241100x800000000000000090433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.402{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:33:00.401 11241100x800000000000000090432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.398{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:33:00.397 11241100x800000000000000090431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.397{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:33:00.395 11241100x800000000000000090430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.395{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.393 11241100x800000000000000090429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.392{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.392 11241100x800000000000000090428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.391{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.resources.dll2023-01-17 10:33:00.390 11241100x800000000000000090427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.390{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.390 11241100x800000000000000090426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.389{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.389 11241100x800000000000000090425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.388{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.388 11241100x800000000000000090424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.387{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.387 11241100x800000000000000090423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.387{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.387 11241100x800000000000000090422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.386{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.386 11241100x800000000000000090421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.385{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.385 11241100x800000000000000090420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.383{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.383 11241100x800000000000000090419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.382{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.382 11241100x800000000000000090418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.381{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Console.resources.dll2023-01-17 10:33:00.379 11241100x800000000000000090417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.378{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.376 11241100x800000000000000090416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.374{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.374 11241100x800000000000000090415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.374{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.374 11241100x800000000000000090414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.374{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\it2023-01-17 10:33:00.374 11241100x800000000000000090413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.372{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.361 11241100x800000000000000090412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.361{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.361 11241100x800000000000000090411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.360{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.resources.dll2023-01-17 10:33:00.360 11241100x800000000000000090410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.359{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.359 11241100x800000000000000090409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.358{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.358 11241100x800000000000000090408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.358{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.358 11241100x800000000000000090407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.357{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.357 11241100x800000000000000090406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.356{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.356 11241100x800000000000000090405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.355{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.355 11241100x800000000000000090404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.355{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.355 11241100x800000000000000090403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.354{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.354 11241100x800000000000000090402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.353{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.353 11241100x800000000000000090401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.353{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Console.resources.dll2023-01-17 10:33:00.352 11241100x800000000000000090400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.352{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.351 11241100x800000000000000090399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.350{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.350 11241100x800000000000000090398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.349{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.349 11241100x800000000000000090397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.349{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\hu2023-01-17 10:33:00.349 11241100x800000000000000090396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.349{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.348{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD07F165FB2548488991D7DA9A7B7E9,SHA256=7BD1E191EBF165E4E3090AE52E94EA23242CD03D32627B62F7444A9A4AE17D00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.348{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\WindowsFormsIntegration.resources.dll2023-01-17 10:33:00.347 11241100x800000000000000090393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.346{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\WindowsBase.resources.dll2023-01-17 10:33:00.346 11241100x800000000000000090392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.345{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\UIAutomationTypes.resources.dll2023-01-17 10:33:00.345 11241100x800000000000000090391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.344{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\UIAutomationProvider.resources.dll2023-01-17 10:33:00.344 11241100x800000000000000090390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.343{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\UIAutomationClientSideProviders.resources.dll2023-01-17 10:33:00.343 11241100x800000000000000090389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.343{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\UIAutomationClient.resources.dll2023-01-17 10:33:00.343 11241100x800000000000000090388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.342{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\System.Xaml.resources.dll2023-01-17 10:33:00.341 11241100x800000000000000090387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.341{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:33:00.341 11241100x800000000000000090386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.338{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\System.Windows.Forms.resources.dll2023-01-17 10:33:00.337 11241100x800000000000000090385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.336{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:33:00.336 11241100x800000000000000090384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.335{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\System.Windows.Forms.Design.resources.dll2023-01-17 10:33:00.335 11241100x800000000000000090383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.333{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:33:00.333 11241100x800000000000000090382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.333{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\ReachFramework.resources.dll2023-01-17 10:33:00.333 11241100x800000000000000090381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.331{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\PresentationUI.resources.dll2023-01-17 10:33:00.331 11241100x800000000000000090380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.329{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\PresentationFramework.resources.dll2023-01-17 10:33:00.329 11241100x800000000000000090379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.327{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\PresentationCore.resources.dll2023-01-17 10:33:00.327 11241100x800000000000000090378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.327{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:33:00.325 11241100x800000000000000090377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.325{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:33:00.325 11241100x800000000000000090376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.323{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:33:00.323 11241100x800000000000000090375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.323{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:33:00.323 11241100x800000000000000090374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.323{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:33:00.323 11241100x800000000000000090373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.319{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:33:00.319 11241100x800000000000000090372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.319{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:33:00.319 11241100x800000000000000090371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.317{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:33:00.317 11241100x800000000000000090370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.315{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:33:00.315 11241100x800000000000000090369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.315{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:33:00.315 11241100x800000000000000090368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.313{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:33:00.313 11241100x800000000000000090367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.313{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:33:00.313 11241100x800000000000000090366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.311{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:33:00.311 11241100x800000000000000090365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.310{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:33:00.310 11241100x800000000000000090364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.310{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.309 11241100x800000000000000090363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.308{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.308 11241100x800000000000000090362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.307{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.resources.dll2023-01-17 10:33:00.307 11241100x800000000000000090361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.307{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.306 11241100x800000000000000090360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.306{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.306 11241100x800000000000000090359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.305{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.305 11241100x800000000000000090358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.304{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.304 11241100x800000000000000090357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.304{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.304 11241100x800000000000000090356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.303{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.303 11241100x800000000000000090355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.302{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.302 11241100x800000000000000090354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.301{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.301 11241100x800000000000000090353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.301{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.301 11241100x800000000000000090352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.300{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Console.resources.dll2023-01-17 10:33:00.300 11241100x800000000000000090351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.299{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.298 11241100x800000000000000090350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.297{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.297 11241100x800000000000000090349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.296{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.296 11241100x800000000000000090348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.296{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fr2023-01-17 10:33:00.296 11241100x800000000000000090347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.295{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\FileLists\DOTNET Framework v4.0 Client.FileList.xml2023-01-17 10:33:00.295 11241100x800000000000000090346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.295{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\FileLists\DOTNET Framework v3.5 Client.FileList.xml2023-01-17 10:33:00.295 11241100x800000000000000090345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.293{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\FileLists2023-01-17 10:33:00.293 11241100x800000000000000090344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.293{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.293 11241100x800000000000000090343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.291{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.291 11241100x800000000000000090342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.291{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.resources.dll2023-01-17 10:33:00.291 11241100x800000000000000090341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.288{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.288 11241100x800000000000000090340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.288{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.288 11241100x800000000000000090339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.288{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.288 11241100x800000000000000090338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.286{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.286 11241100x800000000000000090337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.286{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.286 11241100x800000000000000090336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.286{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.284 11241100x800000000000000090335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.284{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.284 11241100x800000000000000090334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.284{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.284 11241100x800000000000000090333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.284{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.284 11241100x800000000000000090332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.282{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Console.resources.dll2023-01-17 10:33:00.282 11241100x800000000000000090331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.282{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.282 11241100x800000000000000090330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.280{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.280 11241100x800000000000000090329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.280{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.280 11241100x800000000000000090328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.280{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\fa2023-01-17 10:33:00.280 11241100x800000000000000090327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.278{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.278 11241100x800000000000000090326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.276{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.276 11241100x800000000000000090325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.276{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.resources.dll2023-01-17 10:33:00.276 11241100x800000000000000090324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.276{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.276 11241100x800000000000000090323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.275{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.275 11241100x800000000000000090322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.275{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.275 11241100x800000000000000090321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.275{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.272 11241100x800000000000000090320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.272{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.272 11241100x800000000000000090319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.272{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.272 11241100x800000000000000090318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.272{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.272 11241100x800000000000000090317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.270{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.270 11241100x800000000000000090316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.270{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.270 11241100x800000000000000090315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.270{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Console.resources.dll2023-01-17 10:33:00.270 11241100x800000000000000090314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.268{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.268 11241100x800000000000000090313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.266{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.266 11241100x800000000000000090312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.266{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.266 11241100x800000000000000090311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.266{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es-ES2023-01-17 10:33:00.266 11241100x800000000000000090310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.266{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\WindowsFormsIntegration.resources.dll2023-01-17 10:33:00.264 11241100x800000000000000090309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.262{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\WindowsBase.resources.dll2023-01-17 10:33:00.262 11241100x800000000000000090308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.262{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\UIAutomationTypes.resources.dll2023-01-17 10:33:00.262 11241100x800000000000000090307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.262{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\UIAutomationProvider.resources.dll2023-01-17 10:33:00.262 11241100x800000000000000090306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.260{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\UIAutomationClientSideProviders.resources.dll2023-01-17 10:33:00.260 11241100x800000000000000090305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.260{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\UIAutomationClient.resources.dll2023-01-17 10:33:00.260 11241100x800000000000000090304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.258{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\System.Xaml.resources.dll2023-01-17 10:33:00.258 11241100x800000000000000090303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.258{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:33:00.258 11241100x800000000000000090302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.256{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\System.Windows.Forms.resources.dll2023-01-17 10:33:00.254 11241100x800000000000000090301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.254{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:33:00.254 11241100x800000000000000090300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.252{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\System.Windows.Forms.Design.resources.dll2023-01-17 10:33:00.252 11241100x800000000000000090299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.252{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:33:00.252 11241100x800000000000000090298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.250{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\ReachFramework.resources.dll2023-01-17 10:33:00.250 11241100x800000000000000090297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.250{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\PresentationUI.resources.dll2023-01-17 10:33:00.250 11241100x800000000000000090296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.248{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\PresentationFramework.resources.dll2023-01-17 10:33:00.248 11241100x800000000000000090295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.246{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\PresentationCore.resources.dll2023-01-17 10:33:00.246 11241100x800000000000000090294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.246{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:33:00.244 11241100x800000000000000090293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.244{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:33:00.244 11241100x800000000000000090292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.244{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:33:00.244 11241100x800000000000000090291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.242{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:33:00.242 11241100x800000000000000090290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.242{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:33:00.242 11241100x800000000000000090289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.240{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:33:00.240 11241100x800000000000000090288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.238{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:33:00.238 11241100x800000000000000090287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.238{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:33:00.238 11241100x800000000000000090286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.236{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:33:00.236 11241100x800000000000000090285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.236{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:33:00.236 11241100x800000000000000090284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.234{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:33:00.234 11241100x800000000000000090283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.234{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:33:00.228 11241100x800000000000000090282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.226{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:33:00.226 11241100x800000000000000090281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.224{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:33:00.224 11241100x800000000000000090280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.224{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\es2023-01-17 10:33:00.224 11241100x800000000000000090279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.224{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\debug\DotNet.ex.xml2023-01-17 10:33:00.224 11241100x800000000000000090278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.224{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\debug2023-01-17 10:33:00.224 11241100x800000000000000090277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.222{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\WindowsFormsIntegration.resources.dll2023-01-17 10:33:00.222 11241100x800000000000000090276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.220{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\WindowsBase.resources.dll2023-01-17 10:33:00.220 11241100x800000000000000090275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.220{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\UIAutomationTypes.resources.dll2023-01-17 10:33:00.220 11241100x800000000000000090274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.218{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\UIAutomationProvider.resources.dll2023-01-17 10:33:00.218 11241100x800000000000000090273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.218{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\UIAutomationClientSideProviders.resources.dll2023-01-17 10:33:00.218 11241100x800000000000000090272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.218{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\UIAutomationClient.resources.dll2023-01-17 10:33:00.218 11241100x800000000000000090271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.216{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\System.Xaml.resources.dll2023-01-17 10:33:00.216 11241100x800000000000000090270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.216{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:33:00.216 11241100x800000000000000090269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.212{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\System.Windows.Forms.resources.dll2023-01-17 10:33:00.212 11241100x800000000000000090268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.210{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:33:00.210 11241100x800000000000000090267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.210{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\System.Windows.Forms.Design.resources.dll2023-01-17 10:33:00.210 11241100x800000000000000090266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.203{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:33:00.203 11241100x800000000000000090265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.203{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\ReachFramework.resources.dll2023-01-17 10:33:00.203 11241100x800000000000000090264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.203{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\PresentationUI.resources.dll2023-01-17 10:33:00.203 11241100x800000000000000090263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.203{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\PresentationFramework.resources.dll2023-01-17 10:33:00.203 11241100x800000000000000090262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.203{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\PresentationCore.resources.dll2023-01-17 10:33:00.203 11241100x800000000000000090261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.203{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:33:00.202 11241100x800000000000000090260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.203{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.202{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC5FC18547F18D685ED43761E66614F,SHA256=AD95F3149E8B06488881BE390B5898803ECC221DD543DE2C956EA83D75912017,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.201{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:33:00.201 11241100x800000000000000090257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.200{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:33:00.200 354300x800000000000000090256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:57.249{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49578-false10.0.1.12-8000- 11241100x800000000000000090255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.192{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.192{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A575E2328B13406CBDB891295230B2E,SHA256=18C4B25230FF75B85F4B6DED4AAABED647065FBC9D3A3FFA7B1CA5C89520FAC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.192{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:33:00.192 11241100x800000000000000090252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.192{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:33:00.192 11241100x800000000000000090251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.180{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:33:00.180 11241100x800000000000000090250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.176{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:33:00.176 11241100x800000000000000090249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.176{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:33:00.168 11241100x800000000000000090248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.168{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:33:00.168 11241100x800000000000000090247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.168{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:33:00.168 11241100x800000000000000090246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.168{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:33:00.168 11241100x800000000000000090245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.168{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:33:00.168 11241100x800000000000000090244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.168{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:33:00.168 11241100x800000000000000090243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.168{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:33:00.168 11241100x800000000000000090242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.168{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.166 11241100x800000000000000090241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.166{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.166 11241100x800000000000000090240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.164{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.resources.dll2023-01-17 10:33:00.164 11241100x800000000000000090239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.164{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.162 11241100x800000000000000090238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.162{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.162 11241100x800000000000000090237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.162{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.162 11241100x800000000000000090236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.160{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.160 11241100x800000000000000090235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.160{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.160 11241100x800000000000000090234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.158{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.158 11241100x800000000000000090233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.158{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.158 11241100x800000000000000090232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.158{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.158 11241100x800000000000000090231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.156{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.156 11241100x800000000000000090230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.156{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Console.resources.dll2023-01-17 10:33:00.156 11241100x800000000000000090229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.154{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.154 11241100x800000000000000090228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.152{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.152 11241100x800000000000000090227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.152{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.152 11241100x800000000000000090226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.152{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\de2023-01-17 10:33:00.152 11241100x800000000000000090225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.150{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\WindowsFormsIntegration.resources.dll2023-01-17 10:33:00.150 11241100x800000000000000090224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.148{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\WindowsBase.resources.dll2023-01-17 10:33:00.148 11241100x800000000000000090223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.148{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\UIAutomationTypes.resources.dll2023-01-17 10:33:00.148 11241100x800000000000000090222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.146{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\UIAutomationProvider.resources.dll2023-01-17 10:33:00.146 11241100x800000000000000090221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.146{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\UIAutomationClientSideProviders.resources.dll2023-01-17 10:33:00.146 11241100x800000000000000090220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.144{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\UIAutomationClient.resources.dll2023-01-17 10:33:00.144 11241100x800000000000000090219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.144{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\System.Xaml.resources.dll2023-01-17 10:33:00.144 11241100x800000000000000090218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.144{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:33:00.144 11241100x800000000000000090217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.140{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\System.Windows.Forms.resources.dll2023-01-17 10:33:00.140 11241100x800000000000000090216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.138{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:33:00.138 11241100x800000000000000090215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.138{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\System.Windows.Forms.Design.resources.dll2023-01-17 10:33:00.138 11241100x800000000000000090214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.136{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:33:00.136 11241100x800000000000000090213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.136{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\ReachFramework.resources.dll2023-01-17 10:33:00.136 11241100x800000000000000090212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.134{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\PresentationUI.resources.dll2023-01-17 10:33:00.134 11241100x800000000000000090211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.132{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\PresentationFramework.resources.dll2023-01-17 10:33:00.132 11241100x800000000000000090210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.130{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\PresentationCore.resources.dll2023-01-17 10:33:00.130 11241100x800000000000000090209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.130{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:33:00.128 11241100x800000000000000090208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.128{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:33:00.128 11241100x800000000000000090207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.126{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:33:00.126 11241100x800000000000000090206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.126{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:33:00.126 11241100x800000000000000090205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.126{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:33:00.126 11241100x800000000000000090204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.122{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:33:00.122 11241100x800000000000000090203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.122{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:33:00.122 11241100x800000000000000090202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.120{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:33:00.120 11241100x800000000000000090201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.120{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:33:00.118 11241100x800000000000000090200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.118{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:33:00.118 11241100x800000000000000090199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.118{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:33:00.118 11241100x800000000000000090198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.116{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:33:00.116 11241100x800000000000000090197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.114{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:33:00.114 11241100x800000000000000090196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.114{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:33:00.114 11241100x800000000000000090195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.112{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:33:00.112 11241100x800000000000000090194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.112{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Roslyn.resources.dll2023-01-17 10:33:00.112 11241100x800000000000000090193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.110{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.resources.dll2023-01-17 10:33:00.110 11241100x800000000000000090192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.110{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Decompiler.resources.dll2023-01-17 10:33:00.110 11241100x800000000000000090191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.109{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:33:00.109 11241100x800000000000000090190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.109{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:33:00.109 11241100x800000000000000090189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.107{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Debugger.x.resources.dll2023-01-17 10:33:00.107 11241100x800000000000000090188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.107{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:33:00.106 11241100x800000000000000090187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.106{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:33:00.106 11241100x800000000000000090186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.105{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:33:00.105 11241100x800000000000000090185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.104{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:33:00.104 11241100x800000000000000090184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.104{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:33:00.104 11241100x800000000000000090183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.103{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Console.resources.dll2023-01-17 10:33:00.103 11241100x800000000000000090182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.102{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:33:00.102 11241100x800000000000000090181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.101{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:33:00.101 11241100x800000000000000090180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.100{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs\dnSpy.Analyzer.x.resources.dll2023-01-17 10:33:00.100 11241100x800000000000000090179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.100{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\cs2023-01-17 10:33:00.099 10341000x800000000000000090178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.097{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000090177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.097{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000090176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.097{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000090175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.081{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\wpfgfx_cor3.dll2023-01-17 10:33:00.079 11241100x800000000000000090174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.077{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\WindowsFormsIntegration.dll2023-01-17 10:33:00.077 11241100x800000000000000090173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.055{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\WindowsBase.dll2023-01-17 10:33:00.055 11241100x800000000000000090172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.053{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\vcruntime140_cor3.dll2023-01-17 10:33:00.053 11241100x800000000000000090171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.051{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\UIAutomationTypes.dll2023-01-17 10:33:00.051 11241100x800000000000000090170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.049{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\UIAutomationProvider.dll2023-01-17 10:33:00.049 11241100x800000000000000090169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.041{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\UIAutomationClientSideProviders.dll2023-01-17 10:33:00.041 11241100x800000000000000090168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.037{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\UIAutomationClient.dll2023-01-17 10:33:00.037 11241100x800000000000000090167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.025{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\ucrtbase.dll2023-01-17 10:33:00.025 11241100x800000000000000090166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.025{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.XPath.XDocument.dll2023-01-17 10:33:00.025 11241100x800000000000000090165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.025{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.XPath.dll2023-01-17 10:33:00.025 11241100x800000000000000090164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.023{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.XmlSerializer.dll2023-01-17 10:33:00.023 11241100x800000000000000090163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.023{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.XmlDocument.dll2023-01-17 10:33:00.023 11241100x800000000000000090162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.021{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.XDocument.dll2023-01-17 10:33:00.021 11241100x800000000000000090161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.021{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.Serialization.dll2023-01-17 10:33:00.021 11241100x800000000000000090160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.021{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.ReaderWriter.dll2023-01-17 10:33:00.021 23542300x800000000000000069078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:00.737{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04A9BF7C8CBDE2487E8824278427DA9,SHA256=8C9AA30AFA7E5831273D6DD92485ECD5581105C9515A4E5CA6E9FC27734C77A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.019{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.Linq.dll2023-01-17 10:33:00.019 11241100x800000000000000090158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.019{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xml.dll2023-01-17 10:33:00.019 11241100x800000000000000090157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.006{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Xaml.dll2023-01-17 10:33:00.006 11241100x800000000000000090156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.005{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.Presentation.dll2023-01-17 10:33:00.005 11241100x800000000000000090155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:00.003{F172AD64-795A-63C6-7702-00000000B002}6120C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\bin\System.Windows.Input.Manipulations.dll2023-01-17 10:33:00.003 23542300x800000000000000069077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:00.378{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2B429EA526EFE3D90903BE72306AE4E9,SHA256=205E0471AB428DD7E117523109F6F2846427D3018D3E5D1E19F9E599B1C577CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:32:59.091{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local50077-false142.250.190.138ord37s36-in-f10.1e100.net443https 11241100x800000000000000090675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:01.138{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:01.138{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C87F1FABB7DABC644185D74690B2569,SHA256=F1B04AC9F8F110D6DBEB7A5C1C63070D94971C22B2C8E255521EDCB0B63C755E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:01.824{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2811D77BED87C3B0CC7CFC893955CED,SHA256=C6BC9DA8A65A18E76C8350CF330F54A9C2B5EA8CD36B32FB7E269E0FE0499937,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:59.673{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50345-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000069079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:32:59.156{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50344-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000090719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.451{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.448{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.448{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.448{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.448{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.445{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.445{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000090708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.402{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpset2023-01-17 10:33:02.402 11241100x800000000000000090707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstore2023-01-17 10:33:02.400 11241100x800000000000000090706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.398{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpset2023-01-17 10:33:02.398 11241100x800000000000000090705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.397{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstore2023-01-17 10:33:02.397 11241100x800000000000000090704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.396{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpset2023-01-17 10:33:02.396 11241100x800000000000000090703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.395{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstore2023-01-17 10:33:02.393 11241100x800000000000000090702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.393{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-track-digest256.vlpset2023-01-17 10:33:02.393 11241100x800000000000000090701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.392{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-track-digest256.sbstore2023-01-17 10:33:02.392 11241100x800000000000000090700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.391{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset2023-01-17 10:33:02.391 11241100x800000000000000090699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.390{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore2023-01-17 10:33:02.390 11241100x800000000000000090698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.389{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpset2023-01-17 10:33:02.389 11241100x800000000000000090697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.389{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstore2023-01-17 10:33:02.389 11241100x800000000000000090696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.388{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google42023-01-17 10:33:02.388 11241100x800000000000000090695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.387{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpset2023-01-17 10:33:02.386 11241100x800000000000000090694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.385{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstore2023-01-17 10:33:02.385 11241100x800000000000000090693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.384{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-track-digest256.vlpset2023-01-17 10:33:02.384 11241100x800000000000000090692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.384{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-track-digest256.sbstore2023-01-17 10:33:02.383 11241100x800000000000000090691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.383{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-email-track-digest256.vlpset2023-01-17 10:33:02.383 11241100x800000000000000090690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.382{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-email-track-digest256.sbstore2023-01-17 10:33:02.382 11241100x800000000000000090689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.381{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpset2023-01-17 10:33:02.381 11241100x800000000000000090688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.380{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstore2023-01-17 10:33:02.380 11241100x800000000000000090687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.380{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-email-track-digest256.vlpset2023-01-17 10:33:02.378 11241100x800000000000000090686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-email-track-digest256.sbstore2023-01-17 10:33:02.378 11241100x800000000000000090685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpset2023-01-17 10:33:02.378 11241100x800000000000000090684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstore2023-01-17 10:33:02.376 11241100x800000000000000090683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\analytics-track-digest256.vlpset2023-01-17 10:33:02.376 11241100x800000000000000090682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\analytics-track-digest256.sbstore2023-01-17 10:33:02.374 11241100x800000000000000090681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.374{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\ads-track-digest256.vlpset2023-01-17 10:33:02.374 11241100x800000000000000090680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.372{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\ads-track-digest256.sbstore2023-01-17 10:33:02.372 11241100x800000000000000090679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.370{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating2023-01-17 10:33:02.370 11241100x800000000000000090678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.033{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:02.033{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62AE4E1CE5CABE984B8A5BA0B3455BAF,SHA256=9639C5805FA64F9D5FF1A7A27D44EA1623D01F71110CB38A8FD2F3AA75E950F5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000090736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.992{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x800000000000000090735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.991{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x800000000000000090734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.989{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000090733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.988{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000090732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDBSetValue2023-01-17 10:33:03.988{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\dnSpy.exeBinary Data 10341000x800000000000000090731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.985{F172AD64-6CE8-63C6-1300-00000000B002}6802916C:\Windows\System32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.985{F172AD64-6CE8-63C6-1300-00000000B002}6802916C:\Windows\System32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.973{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.973{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.972{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.972{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.972{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.972{F172AD64-7634-63C6-B901-00000000B002}49004424C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.970{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe6.1.8.0dnSpydnSpydnSpydnSpy.dll"C:\Users\Administrator\Downloads\dnSpy.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=6E2E86E49D9F0FAA7107F00D4D856A86,SHA256=937DE02BA7A3522404B82FA09ACECE6A3063C40DF760BA4FC6A3344083D5EB12,IMPHASH=E3F0C6F49DC92A0DE8B1A1437EDF5338{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 11241100x800000000000000090722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.940{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpset2023-01-17 10:33:03.940 11241100x800000000000000090721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.160{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.160{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A90E2F1D07367D4413BE807388E655F,SHA256=ECB38715B514C1B819551FB552FD36C93E9638C2C9281C363A6754588E4D6C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:03.030{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EA49ABEFAD8AECFF2FAA6EBAB2B0F9,SHA256=65D0DEA46646076BD28662E903CAD7ACABA2E44FEEAF67BD136345B41DF7EFFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.944{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net2023-01-17 10:33:04.944 11241100x800000000000000090914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.944{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup322023-01-17 10:33:04.943 11241100x800000000000000090913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.943{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy2023-01-17 10:33:04.943 11241100x800000000000000090912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.858{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.858{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FD9C6DE1950C7AF9AE43CCACE71120,SHA256=CCFE2D2AE9C2AA9C7E57D8A441225D15B975AC61D99F5D4DD39BDB1EC727DD8A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000090910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.784{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.NonGeneric.dll5.0.20.51904System.Collections.NonGenericMicrosoft® .NETMicrosoft CorporationSystem.Collections.NonGeneric.dllMD5=BA890F474A25B8D56B102E5A340D5558,SHA256=B150F551FE266D81A9CC46D9C98E461EA163023604B5396EDD57B10AAE38EFFE,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.782{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=40E6DDAF1D9B1EE5982EE386E7CF2CCD,SHA256=9640D39690AF9B66334565B41BD6C71350B49E6C99FBDF0107316A31830CC3B8,IMPHASH=A304C1ECFEFBD3A520A9945E2188D759trueMicrosoft WindowsValid 734700x800000000000000090908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.755{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Primitives.dll5.0.20.51904Microsoft.Win32.PrimitivesMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.Primitives.dllMD5=4D2C915B523026D5ABC005B1A72A8BDB,SHA256=2399F3CEFD4DF7AC452D7FFD106FC9E1C6D14E2888D01C1405D371B29073299E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.752{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.dll5.0.20.51904System.ThreadingMicrosoft® .NETMicrosoft CorporationSystem.Threading.dllMD5=8DF5383909F3A0E0C8090F3364035B26,SHA256=DBC85FB9166F8C25424B1CE95C57113CEDD7403A608016A424656F5634C22C29,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.750{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Debug.dll5.0.20.51904System.Diagnostics.DebugMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Debug.dllMD5=6F8736E618B2FE423EB4DB806F8CF487,SHA256=3605170FF9D76A264F2A95C41E62140C55B8DA629683B5367AADE5791F79175E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.747{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.CompilerServices.VisualC.dll5.0.20.51904System.Runtime.CompilerServices.VisualCMicrosoft® .NETMicrosoft CorporationSystem.Runtime.CompilerServices.VisualC.dllMD5=01B9A8843838629B55B50305AF9A9598,SHA256=8F6BCD64E9BDCCDC9532AEB2725A2ADC21BA944BD1F6B3A7757025AF44EAF2A3,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.744{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.InteropServices.dll5.0.20.51904System.Runtime.InteropServicesMicrosoft® .NETMicrosoft CorporationSystem.Runtime.InteropServices.dllMD5=888B666D4C6E049084613552946193E2,SHA256=0C086FB84072558569192DBC99CF13F77A9FAE2DD0049366F544EE7F41519AF9,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.743{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Extensions.dll5.0.20.51904System.Runtime.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Extensions.dllMD5=846F1997A38F1CD4C254F2956A7AE561,SHA256=141B0F1C8DCE03C86ED052CD09E3C302B1AC4909E3DDEAFA10ECB49A3D5484BD,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.739{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\DirectWriteForwarder.dll5,0,20,52003 @Commit: 9e81b0885121e9958e48895ae48be9639a396528DirectWriteForwarderMicrosoft® .NET Framework-DirectWriteForwarderMD5=9EFDF7E3043BEDAC1DEF2E1FB35D8D47,SHA256=F8974F43E3253F023240D5F08CA762FB48D91AE01049EE58485E269DB60C5ED8,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 23542300x800000000000000069083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:04.121{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24776A8DBD5C90FFB267781D43090D5,SHA256=8122DF4332D108F7255F5B0E7E92B869E9696E0EB3676364FFE452B8557B062D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000090901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.729{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\mscorlib.dll5.0.20.51904mscorlibMicrosoft® .NETMicrosoft Corporationmscorlib.dllMD5=621C0C395426423F52B7B644F024F6EA,SHA256=F1FEFB476CA5DD10A254E6A415C17EE916DB36AF930CDCB169848410CDC48498,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.727{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\WindowsBase.dll5.0.20.52003WindowsBaseWindowsBaseMicrosoft CorporationWindowsBase.dllMD5=6ED75D8809B566C304CF3D0D22AC8B16,SHA256=9966D7144CDA77F80BEAF933D536F6A63FCD91C01ABDB3436D784A1299102AEC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.707{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationCore.dll5.0.20.52003PresentationCorePresentationCoreMicrosoft CorporationPresentationCore.dllMD5=5919281FC845C2231ECDA3F0A61766BD,SHA256=EAE2AAA6F89E83C3841898BE7B3BA94A773138F13943A36AC889D15972ABA62C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.642{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\netstandard.dll5.0.20.51904netstandardMicrosoft® .NETMicrosoft Corporationnetstandard.dllMD5=94F395AD732AC095583CAB60A17EF73F,SHA256=89E927DFEDB268C74E96E9A5016FE201F57344F4B80A145CA7BC24776F2FFF40,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.639{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnlib.dll3.3.2.0dnlib (thread safe)dnlib0xd4ddnlib.dllMD5=4D0B771879DE85137EE7E5F0D4BB4B16,SHA256=962332E8C8CB459FB2F7DACEC5D7A618CC53B1B49BC1740156398C89742F43FD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.629{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.FileSystem.dll5.0.20.51904System.IO.FileSystemMicrosoft® .NETMicrosoft CorporationSystem.IO.FileSystem.dllMD5=232510448CE8E417E01CD10FE78D4932,SHA256=98615DFAF418992D36ACC335B56268DEE1AD18DE98F28A7802139210AD61BFC1,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.625{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Tracing.dll5.0.20.51904System.Diagnostics.TracingMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Tracing.dllMD5=662D49D915925D421E8489A78964DF12,SHA256=3AD16AD5D3D760E9B216281F9F67906FBEF15A1A3A8C7A7694D2795C8F170E1A,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000090894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.661{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:48.097 23542300x800000000000000090893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.659{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.659{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:32:48.097 734700x800000000000000090891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.623{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.dll6.1.8.0dnSpy.Contracts.DnSpydnSpy.Contracts.DnSpydnSpy.Contracts.DnSpydnSpy.Contracts.DnSpy.dllMD5=5897A5F8BB3FDBAEA1F5D37F1A0137E5,SHA256=A06639A52050F3D0F4644CCD55C7BA1572A7F63B5CF51067F8E9088F7CAE2449,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.603{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.dll5.0.20.51904System.RuntimeMicrosoft® .NETMicrosoft CorporationSystem.Runtime.dllMD5=1B8E5C63925265E061554C07E88A1D63,SHA256=3C84A57C7FE42BFFC2803D0B49994A796DD4AA479A035DE003DA006A08EBA856,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.597{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.dll6.1.8.0dnSpydnSpydnSpydnSpy.dllMD5=5213D9619CA9011F09ED3D0D65B48166,SHA256=5C5A4F7E178046AB14282D5C3BAF025365E6D1B5225D65C78AA6B5B16AB014A1,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 11241100x800000000000000090888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.623{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.DiaSymReader.Native,1.7.02023-01-17 10:33:04.623 11241100x800000000000000090887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.623{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.Hosting2023-01-17 10:33:04.621 11241100x800000000000000090886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.621{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.Hosting,1.0.312023-01-17 10:33:04.621 11241100x800000000000000090885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.619{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.Convention2023-01-17 10:33:04.619 11241100x800000000000000090884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.619{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.Convention,1.0.312023-01-17 10:33:04.617 11241100x800000000000000090883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.617{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.AttributedModel2023-01-17 10:33:04.617 11241100x800000000000000090882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.617{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.ComponentModel.Composition,4.5.02023-01-17 10:33:04.617 11241100x800000000000000090881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.617{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Ookii.Dialogs.Wpf,3.0.12023-01-17 10:33:04.617 11241100x800000000000000090880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.617{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Validation,15.0.822023-01-17 10:33:04.615 11241100x800000000000000090879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.615{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Text.UI.Wpf2023-01-17 10:33:04.615 11241100x800000000000000090878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.615{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Text.UI2023-01-17 10:33:04.615 11241100x800000000000000090877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.615{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Text.UI,15.5.271302023-01-17 10:33:04.615 11241100x800000000000000090876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.615{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Text.Logic2023-01-17 10:33:04.615 11241100x800000000000000090875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.615{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.ComponentModel.Composition2023-01-17 10:33:04.615 11241100x800000000000000090874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.615{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.CoreUtility,15.5.271302023-01-17 10:33:04.615 11241100x800000000000000090873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.615{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Text.Data,15.5.271302023-01-17 10:33:04.615 11241100x800000000000000090872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.615{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Composition.NetFxAttributes,16.4.112023-01-17 10:33:04.615 11241100x800000000000000090871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.613{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Language.Intellisense,15.5.271302023-01-17 10:33:04.613 11241100x800000000000000090870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.613{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Composition2023-01-17 10:33:04.613 11241100x800000000000000090869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.613{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.Workspaces.Common,2.10.02023-01-17 10:33:04.613 11241100x800000000000000090868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.613{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.Runtime2023-01-17 10:33:04.613 11241100x800000000000000090867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.613{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.VisualBasic.Workspaces2023-01-17 10:33:04.613 11241100x800000000000000090866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.611{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Language.Intellisense2023-01-17 10:33:04.611 11241100x800000000000000090865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.611{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.VisualBasic.Workspaces,2.10.02023-01-17 10:33:04.611 11241100x800000000000000090864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.611{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.TypedParts,1.0.312023-01-17 10:33:04.609 11241100x800000000000000090863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.VisualBasic.Features2023-01-17 10:33:04.609 11241100x800000000000000090862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.VisualBasic.Features,2.10.02023-01-17 10:33:04.609 11241100x800000000000000090861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.VisualBasic2023-01-17 10:33:04.609 11241100x800000000000000090860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.AttributedModel,1.0.312023-01-17 10:33:04.609 11241100x800000000000000090859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.TypedParts2023-01-17 10:33:04.609 11241100x800000000000000090858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.VisualBasic,2.10.02023-01-17 10:33:04.609 10341000x800000000000000090857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-6CE8-63C6-1000-00000000B002}3566744C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000090856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.Features2023-01-17 10:33:04.609 10341000x800000000000000090855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.609{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000090854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.607{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.Features,2.10.02023-01-17 10:33:04.607 11241100x800000000000000090853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.607{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.CoreUtility2023-01-17 10:33:04.607 734700x800000000000000090852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.607{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 11241100x800000000000000090851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.607{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Text.Data2023-01-17 10:33:04.607 11241100x800000000000000090850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.607{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Validation2023-01-17 10:33:04.607 11241100x800000000000000090849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.607{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.CSharp.Workspaces2023-01-17 10:33:04.607 11241100x800000000000000090848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.605{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.CSharp.Workspaces,2.10.02023-01-17 10:33:04.605 11241100x800000000000000090847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.605{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Composition,16.4.112023-01-17 10:33:04.605 11241100x800000000000000090846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.605{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Text.Logic,15.5.271302023-01-17 10:33:04.605 11241100x800000000000000090845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.605{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.CSharp.Features2023-01-17 10:33:04.605 11241100x800000000000000090844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.605{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.CSharp.Features,2.10.02023-01-17 10:33:04.605 11241100x800000000000000090843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.605{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.CSharp2023-01-17 10:33:04.605 11241100x800000000000000090842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.605{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Composition.NetFxAttributes2023-01-17 10:33:04.603 11241100x800000000000000090841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.603{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.CSharp,2.10.02023-01-17 10:33:04.603 11241100x800000000000000090840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.603{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.Common2023-01-17 10:33:04.603 11241100x800000000000000090839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.603{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.Common,2.10.02023-01-17 10:33:04.603 11241100x800000000000000090838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.603{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Ookii.Dialogs.Wpf2023-01-17 10:33:04.603 11241100x800000000000000090837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.601{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Humanizer.Core,2.2.02023-01-17 10:33:04.601 11241100x800000000000000090836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.601{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.VisualStudio.Text.UI.Wpf,15.5.271302023-01-17 10:33:04.601 11241100x800000000000000090835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.601{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,dnlib2023-01-17 10:33:04.601 11241100x800000000000000090834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.601{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,dnlib,3.3.22023-01-17 10:33:04.601 11241100x800000000000000090833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.601{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.DiaSymReader.Native2023-01-17 10:33:04.601 11241100x800000000000000090832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.601{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Iced2023-01-17 10:33:04.601 11241100x800000000000000090831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.601{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,runtime.win-x86.Microsoft.NETCore.DotNetHostPolicy,5.0.02023-01-17 10:33:04.601 11241100x800000000000000090830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.601{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Humanizer.Core2023-01-17 10:33:04.599 11241100x800000000000000090829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.599{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Microsoft.CodeAnalysis.Workspaces.Common2023-01-17 10:33:04.599 11241100x800000000000000090828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.599{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,System.Composition.Runtime,1.0.312023-01-17 10:33:04.599 11241100x800000000000000090827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.599{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,runtime.win-x86.Microsoft.NETCore.DotNetHostPolicy2023-01-17 10:33:04.599 11241100x800000000000000090826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.599{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Iced,1.9.02023-01-17 10:33:04.599 734700x800000000000000090825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.541{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\clrjit.dll5,0,20,51904 @Commit: cf258a14b70ad9069470a108f13765e0e5988f51Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NETMicrosoft Corporationclrjit.dllMD5=4A3121FEA51793566DF439932CB42069,SHA256=9646326E52DB7B28C19269F34D2CA937800DEB16B3F97B9BCB634EE9669E5C9B,IMPHASH=73A3EF33B6FA5503D5DC4F6AD1CD2EA8trueMicrosoft CorporationValid 734700x800000000000000090824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.524{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll5.0.20.51904System.Private.CoreLibMicrosoft® .NETMicrosoft CorporationSystem.Private.CoreLib.dllMD5=677DAF60C0EF7D4C5E7566D56B63E336,SHA256=FC212D3841C81D50518C066333B9CCEF9346D86D679BD6CAC19771B0D23BB8C9,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.434{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\coreclr.dll5,0,20,51904 @Commit: cf258a14b70ad9069470a108f13765e0e5988f51Microsoft .NET RuntimeMicrosoft® .NETMicrosoft CorporationCoreCLR.dllMD5=47802BF022D47DD533F9196227C37962,SHA256=8D87D4B97CE741746619DA01B746CAAC150000C37BC43ED0E909F71A63C57A09,IMPHASH=99DE66A38992216D932AC7C79D8FE021trueMicrosoft CorporationValid 17141700x800000000000000090822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:33:04.455{F172AD64-795F-63C6-7802-00000000B002}7080\dotnet-diagnostic-7080C:\Users\Administrator\Downloads\dnSpy.exe 734700x800000000000000090821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.453{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x800000000000000090820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.448{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x800000000000000090819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.443{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 10341000x800000000000000090818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.402{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.402{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.402{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.396{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.396{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000090813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.396{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000090812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.363{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\hostpolicy.dll5,0,20,51904 @Commit: cf258a14b70ad9069470a108f13765e0e5988f51.NET Host Policy - 5.0.0Microsoft® .NET FrameworkMicrosoft Corporation.NET Host Policy - 5.0.0MD5=D5B36FEA86BB8EB0DED938283B41486F,SHA256=30581B893BFAF0D0AABA0F4EBE9303425D34B4C03B2A494DBEEF2F18AEB1B5E0,IMPHASH=E7CBE793D3941027E08128573B8B5946trueMicrosoft CorporationValid 734700x800000000000000090811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.355{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\hostfxr.dll5,0,20,51904 @Commit: cf258a14b70ad9069470a108f13765e0e5988f51.NET Host Resolver - 5.0.0Microsoft® .NET FrameworkMicrosoft Corporation.NET Host Resolver - 5.0.0MD5=B106C19B77EA09A4E0C4CBDD37FC1D74,SHA256=FCF198DB8F15C3F3D500B7D3C4A3582FE5F3494B02FE773B974B1D65274289F3,IMPHASH=03CAD07D3C5182E7C86E136AA250631DtrueMicrosoft CorporationValid 734700x800000000000000090810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.348{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x800000000000000090809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.346{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x800000000000000090808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.345{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x800000000000000090807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.340{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x800000000000000090806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.338{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=827CF4DF011EA7BAF277BBA7E74F262E,SHA256=9C9BBF48DC43E2C405C04BE00DF600989093BBCD6CC7FD66CE8BEA97EC7D8499,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x800000000000000090805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.335{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C830A662D2219E9BFB13ED2894026915,SHA256=CB8048F560CC4FF567D2A8C2657004E70902855CCA50B4705A8053587E1ED007,IMPHASH=533BC84A1EC4841BF15F5E4FF63A29F1trueMicrosoft WindowsValid 734700x800000000000000090804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.329{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x800000000000000090803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.327{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x800000000000000090802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.325{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x800000000000000090801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.321{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x800000000000000090800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.321{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=B422D6D349B239AA5DA5B66297A085B3,SHA256=3708B080455F4563B863211A4D602AE11CEBDEB94C8846EE580503C4F4A4DFE7,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x800000000000000090799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.319{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=3A48E40A8DC9780D16B55FA7F425C8BD,SHA256=1DC9E31DEE8E5FCB1ECDFCB14A79BC65EE46DED598D13CA9AFF03184DACE47CD,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x800000000000000090798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.309{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x800000000000000090797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.299{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D8766A87C8B5B093B0469B493FF5F7E4,SHA256=8FB659C0D76E996E729FA2FD108F70988A44AA2FBF032D4C0D135E24009FCA80,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 11241100x800000000000000090796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.287{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.287{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C800865C09C03EF4BC43B9CF8ABB4469,SHA256=0E5C586C4DAD85B512C47E3E300C1F5B6A25C6138AF194CDDC548F9B0D2A023C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000090794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.281{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=D9C3B5FF35145713151626BE316EA7DA,SHA256=0921F4B23EDDE0B4C4A219120217B5E62C784DE1A2EF2C48C8999C956CDF2CB0,IMPHASH=9D339EEAB735596FA7DC404B5B56A994trueMicrosoft WindowsValid 734700x800000000000000090793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.238{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x800000000000000090792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.235{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x800000000000000090791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.227{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=0487622561B6FA4067E8D603307A0457,SHA256=77585E9AD4130F504F881261356DC44BF3B88213CC9B03587FE1E46005D09A52,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 11241100x800000000000000090790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.191{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.191{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3879E1544442A5D7B77EBE05CF9289D0,SHA256=D28EADD97FD65A9F3D56F41486072E0F44DE2E9E2AD231702839F8268A62D131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.157{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=D6BC596FC8763F19E770F2D992C4B2AA,SHA256=BABE1263766B48C5012CA8BEB6BA33892B6FF8C880D80F377EA7BA28A2AA5C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.155{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=C483C5F64EE654BC0AD11D1FC3D6A9AA,SHA256=FC82E0F62E48BA99CF6DBDD98AFFE7877141ACEE98111A774063344D2E450B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.155{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=F4E9D809CA16A0C3D54D8D9960C76281,SHA256=EB0A47370E92682E8DFAD0649DAC63F22B5607950F22705F0AEBD8E5411FF37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.154{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=7056D2F1D900B3E4CF636F606F2EDA2B,SHA256=5A33BF3E5364901C97AC811607AAC409850F7B6BEA77EA82D6CE8C18B7EF26E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.152{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=9743EFA9D185B32CE7FCF97FC4F2DD12,SHA256=4C92A1D414C71282D3B1EAF5D1EB5027A33EF44218249B3C4A1C66CB2E3DF691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.152{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=55FE316262955D7300963FB901ED1215,SHA256=7BFB29408D415F6DF21FE900B26DBA43A36FE165144339AEAFDB59983B7D0F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.151{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=A35C037AFC3EB17EDBE48BB65AD475FE,SHA256=BB40BB3597923EBD1BD3831496C6EE807E260252DAD814C8257919839430CDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.150{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=EFF14E81C67BE0A6A32317E524B9C0CA,SHA256=A5283860120BBD3783ECD242FA8902E6ECB1D181231F1AB3648AB5833FEB2AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.150{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=E2504EC1F27546D9ADC99BE3EAF40640,SHA256=01A3AFC412700FFC6CEA877FC8EBE7E04E6018539EA28B37D91277E388FFA5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.146{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=1EB363B2B9A12102AF3CFF680C4D781A,SHA256=37765AC4FDBBB15435398DC8398A949BA3502293E0743D22EC5AF81A7876A5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.146{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.145{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.144{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.131{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=290613727E5AFF25126961C8F4B88D83,SHA256=5BEB20661DC13F0621EDD0158475C50293ADFF30BD2B3F4205EF9E9E21ABCBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.129{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=A397E46A0D20E2C45B8A9121C8A1553D,SHA256=4D30A7697EE459202EE98DCCF94583B041F9796067050036C01ADF7599D3708F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.129{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=EBE1E5EF3BF518C4513A710C20584FEB,SHA256=63885A09479A27691B43E1960542208133E5180F170D71C2673D278B8075150B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.129{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-email-track-digest256.vlpsetMD5=8AA8044B064139517398CECD159FC155,SHA256=CA5C29812682238390425EA70200D733B209F396B65C56F23CBC5376A267966A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.127{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\content-email-track-digest256.sbstoreMD5=916B02B5C1CC32DAF6418E55B946A311,SHA256=FEE87A29716988C786D080F82F16D47C90D28012CF1DD4D202EA5F21462EFFDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.127{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=D5565D3B2176A5591A29B565C7F7B318,SHA256=55F37A1E2EC949C3A35935B0489E50EE43899A83199F2F399336A2F44061F079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.125{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=1628F4B2C23ABAE9EFBC8123614AAD39,SHA256=6A0E6056E219DDE3017F9A3D7337442960C978236332988FFA74527DF6C005B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.125{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-email-track-digest256.vlpsetMD5=0250F7ACDF7B2DD582C4311C54D2B7D2,SHA256=5453148AB3E08437F441702CA712761A423513D136E44A8577845A7461D76C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.123{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-email-track-digest256.sbstoreMD5=9F05926AC9A4E479BED6238B4D954A96,SHA256=BB4C8D13A94A3EAF2772BBA887BF2435699E4F26E3EF1E86531761F7AF9BFA33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.121{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=27FDC1E41D9D5A211771AB92CA9F7C31,SHA256=0660E282128C18853B1E61D39103FB07D890DEC37D087518E94DFE4ABDFDA2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.121{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=600543CCB6F17BDD56EE0B6037E4B5AD,SHA256=F1BA1589BFBB7720654E0B9E873894C1638C379CC5D8590473DD9370846BBF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.121{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=65CDC657AC77C480AC5C585B6B3D1A3C,SHA256=6F6845B994A65C09BA4F511B3450FCF66D12E2DAF2725517C32AFE5F6AE71B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.119{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=41AFE516DEC1742911FBAB057B28C12E,SHA256=47CAA234E929426AE0E3E3D4432E3D4E7345919132504FE5080FAC264F0E5139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.119{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=9D8A26D4FD917C1BEAC94D0E329011C0,SHA256=6BC574F51BB934AFEA63CBF37E4C3C11DC72C8660D2A4460DF3E5978AC3D6DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.117{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E0A7CB263A7E5001A4ACB00631BEC6A7,SHA256=014B03890FCAB9E67AAB65404EFCCEAA13BE82924E3D682DC48B8FE942017B50,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000090760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.114{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadata2023-01-17 10:33:04.113 11241100x800000000000000090759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.110{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpset2023-01-17 10:33:04.110 11241100x800000000000000090758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.110{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadata2023-01-17 10:33:04.110 11241100x800000000000000090757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpset2023-01-17 10:33:04.105 734700x800000000000000090756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.060{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=6B8855A193E555FC990272CA897F17C8,SHA256=71DAF5DFD014D22AA8F9A57C67AEBA00A7F7D6751986726CB2F8D228FDD988B4,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x800000000000000090755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.049{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 11241100x800000000000000090754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.048{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadata2023-01-17 10:33:04.048 734700x800000000000000090753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.047{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=9D8F7BD41657B515DD46C7BF90A26CDB,SHA256=F73F1D7C426282357007294D5108EB4509EB96C1DF82B86BD2E657D93E7204B5,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x800000000000000090752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.046{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 11241100x800000000000000090751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.045{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpset2023-01-17 10:33:04.045 11241100x800000000000000090750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.038{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-malware-proto.metadata2023-01-17 10:33:04.038 11241100x800000000000000090749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.033{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpset2023-01-17 10:33:04.032 734700x800000000000000090748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.032{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=21F54383C7D18A94F38FECE94DD70857,SHA256=A640FB5178939AC7D6120624B37FF0D40805BF5136DA47C71227A88347663E02,IMPHASH=C3A947E86E0B67FAA3B0B56CC5C7BCA6trueMicrosoft WindowsValid 734700x800000000000000090747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.017{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x800000000000000090746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.018{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=72EB4674143DA842FD0A5345292D582C,SHA256=67E414DE97C1E0F8B6E5EC4D4CDAD442CF86C45882FCE6DE6904A0BF352D71F8,IMPHASH=6798162B267BC20DD6DD5089B259E15BtrueMicrosoft WindowsValid 734700x800000000000000090745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.010{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x800000000000000090744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.017{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000090743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.016{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000090742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.016{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=72EB4674143DA842FD0A5345292D582C,SHA256=67E414DE97C1E0F8B6E5EC4D4CDAD442CF86C45882FCE6DE6904A0BF352D71F8,IMPHASH=6798162B267BC20DD6DD5089B259E15BtrueMicrosoft WindowsValid 734700x800000000000000090741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.006{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 11241100x800000000000000090740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.011{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\safebrowsing-updating\google4\goog-phish-proto.metadata2023-01-17 10:33:04.011 734700x800000000000000090739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.010{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000090738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.989{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy.exe6.1.8.0dnSpydnSpydnSpydnSpy.dllMD5=6E2E86E49D9F0FAA7107F00D4D856A86,SHA256=937DE02BA7A3522404B82FA09ACECE6A3063C40DF760BA4FC6A3344083D5EB12,IMPHASH=E3F0C6F49DC92A0DE8B1A1437EDF5338false-Unavailable 734700x800000000000000090737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.002{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=008C343519B7638AEF1FBFD9DF26BC22,SHA256=9C5B8ED8542367D1DC5625AD5544C68ABB63C80887F2F448506581B32AA34CE5,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x800000000000000069084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:05.222{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77335E070B404EC275DE6B21E7FD326,SHA256=4E77E27705E99C7AB612F91A429621E8934EDB37EECAC1E03209CBC4BBF3495B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.990{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000091012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.990{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000091011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.990{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 734700x800000000000000091010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.582{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Aero.dll5.0.20.52003PresentationFramework.AeroPresentationFramework.AeroMicrosoft CorporationPresentationFramework.Aero.dllMD5=916CB9BF70A1812698841A5A428D5985,SHA256=AD880F84C9AAF19E9C6D7F41D1C1135622AAFBE2D08B135A45720BBBB4E40F1E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.561{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluator.dllMD5=C093E7D2DEAC718331B5A1F90A296E82,SHA256=AFDAF3294C67480BA855CA06F6750762A7828D4A104D79A32569C6F334A743C1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000091008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.560{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.Core.dll6.1.8.0dnSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.Core.dllMD5=2EF0A2CB16F80A3D6AFF1AB4C481496E,SHA256=5D329DBC74125AB92FBCEC06DDC1414E215A74153C280BC9781CAE093E603897,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000091007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.558{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 734700x800000000000000091006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.541{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.dllMD5=2A40516C8B0ECA8EA95895FB039A4B0E,SHA256=69D0D2BB692FCD54C31C76F5B457CAF0A15A7452B18EBE50E0697EFDD66F84AF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000091005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.539{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Scripting.dll2.10.0.0Microsoft.CodeAnalysis.ScriptingMicrosoft.CodeAnalysis.ScriptingMicrosoft CorporationMicrosoft.CodeAnalysis.Scripting.dllMD5=EC05B0D1FFFAE920CCA19E7490E03D92,SHA256=B26B6DF96E24329ADE914203EAE33CFE305E1A5A4C193449FD759E42ABCB3837,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.536{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Mono.Debugger.Soft.dll4.0.0.0Mono.Debugger.Soft.dll--Mono.Debugger.Soft.dllMD5=AC4A88CE6122F49D3099EDA3B4C8D39B,SHA256=3312EEA9E90EC973F11173257CE7554261530CDBDD4D8AC80A9D4ED591DEA0AC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000091003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.534{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll5.0.20.51904System.Diagnostics.ProcessMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Process.dllMD5=967EBD5913BC407520C0DD77D8F4802F,SHA256=93C044F404BDA1C00881C52FD53C1031390A4AF640F6AC6B6CAFAE486EF08C26,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.531{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Formatters.dll5.0.20.51904System.Runtime.Serialization.FormattersMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Serialization.Formatters.dllMD5=3601CB7F81B22104AA8B2E449D79111D,SHA256=2D45F47E4D6386429A5BA94623824B941F628400412DD99EF1AA5B55D84620BB,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.528{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.Internal.dll1.0.0.0dnSpy.Roslyn.InternaldnSpy.Roslyn.InternaldnSpy.Roslyn.InternaldnSpy.Roslyn.Internal.dllMD5=93CBECB93B241F9F5448F041E2E58B95,SHA256=5D534D6650838317E25695AD15AFF82A27FE7AA6F7D6932872F7219EA9557F14,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000091000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.527{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.dll6.1.8.0dnSpy.DecompilerdnSpy.DecompilerdnSpy.DecompilerdnSpy.Decompiler.dllMD5=07B0F9AFB082F6E5B3694BCF2DE0CD01,SHA256=CDA009BA0ABD7C22EAF28C917291193853FCF5189913F29845D42DBAE361E302,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.525{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.Decompiler.dll2.3.1.0ICSharpCode.DecompilerICSharpCode.Decompileric#codeICSharpCode.Decompiler.dllMD5=3F0B190B2C3DE675C5DCD932CEECFE98,SHA256=EEA43E707CC5212EB2C32F788DF7441B47E5E13EF6EF4A3A9BF2CECBA3D51BC0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.518{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.dll6.1.8.0dnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebug.dllMD5=194609DB5888E53BC1891A1E30E0BA1F,SHA256=C8F6656CA5F8A5E1BE58770798A5DE945C29FD2C62F84D12DDA74C7234A33445,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.518{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluator.dllMD5=74DF985B48B8CFBF96FBCA0248591D74,SHA256=B130CFBB4DD9855CBD6627755E3826F90585F5891EDB037515B74D8AF80A90FD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.516{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.dll6.1.8.0dnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.Interpreter.dllMD5=EBFEA58CA8930B12413E620D5D2FA734,SHA256=22EFB188CDE722408B66FAE38CC990C6C0D0E5DBF42E624EE8F24238BB095803,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.514{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Primitives.dll5.0.20.51904System.Drawing.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Drawing.Primitives.dllMD5=6DB5A9AA45179FD123B27576F4D4FEDF,SHA256=6BB6E9C95FBB1D77BEB6D84ECC35D62CED3D32B02D48A3565612C78508BC431A,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.512{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Globalization.dll5.0.20.51904System.GlobalizationMicrosoft® .NETMicrosoft CorporationSystem.Globalization.dllMD5=EE2DAA2E97B7250A8DB0F6E74EF772D4,SHA256=2568163D350A3D16AEA79646D0753D4970CBF93412FCBB0E4D1772193EB189DB,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.511{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Iced.dll1.9.0.0IcedIced0xd4dIced.dllMD5=664C15683A6A3FB4204D5F1FF42E2E5C,SHA256=DEC71B0AF2C2267FA1CA8D1465FAF914AB5350C7407D0E35EDD690D1B4F421FB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x800000000000000090992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.601{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000090991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.497{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.dll6.1.8.0dnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.Mono.dllMD5=8E1B79CCA6A873EDF64CFF1AAC52DF18,SHA256=9BD3F931F37F94D5761E4A852ED2C883C539D7B4E9F273A30C56E6F770DC0D81,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.492{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.dll5.0.20.52001System.Windows.FormsMicrosoft® .NETMicrosoft CorporationSystem.Windows.Forms.dllMD5=2A73DEDC888D37EDE587E63B392FC24E,SHA256=E036F6FDBC081D276D8C89989C0EE79264BCC3ED40AFD35CA3A3491B76A4F54D,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.388{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.dll5.0.20.51904SystemMicrosoft® .NETMicrosoft CorporationSystem.dllMD5=4B36D4EDF954E901976A778F35EE7551,SHA256=3DC0B50AA51155B68D894C03E9E006852DD3C0AF041D5FC06F9F7A8DD3D28A08,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.388{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.dll6.1.8.0dnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.Metadata.dllMD5=C0D818AA697E303CF5F3F6CF8D60A3F4,SHA256=992037BC15EC9204A0677CAE483AABBE2BD990E4672CE9E3904EAACB2C7B70F6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.384{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Features.dll2.10.0.0Microsoft.CodeAnalysis.FeaturesMicrosoft.CodeAnalysis.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.Features.dllMD5=592452FDB88BA0FF76D416A41ECDACD1,SHA256=DB8E814C2920C4C61DB5C9E91B4044F146F972D0DC6DD166611B0FC4124CAA2B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.360{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.dll6.1.8.0dnSpy.Contracts.DebuggerdnSpy.Contracts.DebuggerdnSpy.Contracts.DebuggerdnSpy.Contracts.Debugger.dllMD5=181A2439C1155441124C1776F8F662AC,SHA256=3D026836ABBBEB3BE6798E92485CF328300124FD9218ED8D4BCA83CE4E206C24,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.360{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.dll6.1.8.0dnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNet.dllMD5=A322175D0D1BC7B92B13E45ECA746CB5,SHA256=30EB2CB4D1BA8E42B4D80162D135DD37D23FE2002652B27C350C7C7EE7A6E4FF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.356{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.dll5.0.20.51904System.Threading.TasksMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.dllMD5=D44116A35BF3C9B3F413E8EA7A37E8EF,SHA256=74D7A971E6EEBFF5E790B9A9F935A1A1FCE6CF26F2F0C4476CA661FEC8FB6069,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.356{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Text.Encoding.dll5.0.20.51904System.Text.EncodingMicrosoft® .NETMicrosoft CorporationSystem.Text.Encoding.dllMD5=CF0D252DE2CB6F5C04B942E1A25268ED,SHA256=CE1FC1544079F4A2964BD267B87FE02E8E1ABC37E416CFCBC56EAC4F02578379,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.355{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Language.Intellisense.dll15.3.1711.0902Microsoft.VisualStudio.Language.IntellisenseMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Language.Intellisense.dllMD5=0B8EE9C16452E25BA8213164A8C0DF19,SHA256=EE591319B81309F70617C0A444D8B7BC014BD8C86B3A35034748149B8D129554,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.353{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Workspaces.dll2.10.0.0Microsoft.CodeAnalysis.WorkspacesMicrosoft.CodeAnalysis.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.Workspaces.dllMD5=17A23610A3D915E4037B775EC26700D7,SHA256=26F0BB24CECF6DFAD03F27943ACF420C2605B47B5C86CF90032F908C3A985C85,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.322{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.dll2.10.0.0Microsoft.CodeAnalysisMicrosoft.CodeAnalysisMicrosoft CorporationMicrosoft.CodeAnalysis.dllMD5=3729A7EF430507D05046B1AE5EB843B7,SHA256=85BBFDB35EE97BE5DD5722076F7BB2A0EC674B2CDCEB15179D72B87C336F5E1B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.302{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Composition.dll4.6.26515.06System.ComponentModel.CompositionMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ComponentModel.Composition.dllMD5=868AD071108F7B0ADCEEC2E9FFCD0FE0,SHA256=AB23A9EE4AD84643847865D6E975C6746BD913270DD63E7CA9125E4DC255645F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.298{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.TreeView.dll4.2.0.8752ICSharpCode.TreeViewSharpDevelopic#codeICSharpCode.TreeView.dllMD5=1C754B4CF6BB9D6F36132B0DD0042A89,SHA256=AF3E6CEF5342C7D7DD813913DDE2C765C1501ECF0832397DBB631CD5D15DDA21,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.298{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.Data.dll15.3.1711.0902Microsoft.VisualStudio.Text.DataMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.Data.dllMD5=EEFA9B065F29C2794AC489244DAFA7B3,SHA256=5AC8022AB982A5C36D64FB30B8115E2E43FACA91768C36AB8BA8B7E93E3DBDE6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.281{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.Dataflow.dll5.0.20.51904System.Threading.Tasks.DataflowMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.Dataflow.dllMD5=C1743E545CEE6179FC58B2E199DF25A6,SHA256=5B4FAC63E244E6B4597D012C3164853106B9DE45B0A598D2B379E31E316322B5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000090975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.399{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000090974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.399{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BD9EA1E1F132977AB0765C3B216C20,SHA256=5536C1F658488690ADB2AE676695BEB089F721E8932C7196781F6654CB7C9EE0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000090973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.269{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Immutable.dll5.0.20.51904System.Collections.ImmutableMicrosoft® .NETMicrosoft CorporationSystem.Collections.Immutable.dllMD5=E7F89EDB49EE0F3B922CE3FBECAC2883,SHA256=DE34C4AA6F5275FDAD3A79E9A02C88DCC12AA1FE1C5FDC33667A6F07F07BC4C2,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.254{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.dll6.1.8.0dnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.x.dllMD5=D41C3528F927AECA19D08BB65E5198FA,SHA256=92FE6F6CC67B84A512E11F453F9B91B1BAF1AC24273B5DBEBBABEE4F675F3747,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.249{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.dll6.1.8.0dnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.x.dllMD5=1CC594210E498086C22E0A0216747AB0,SHA256=B0457947E885BEFEFD9CAB1FB33666A7B6C05664A60A819F1510BE7ED1F45F49,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.234{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.dll6.1.8.0dnSpy.Debugger.xdnSpy.Debugger.xdnSpy.Debugger.xdnSpy.Debugger.x.dllMD5=1693D42AD1C27B6C618BC9B8E4752D51,SHA256=E3DE282AA73E16A1D87AE03536C3F70626469F275E17917D49285FEF7659A231,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.216{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.WebHeaderCollection.dll5.0.20.51904System.Net.WebHeaderCollectionMicrosoft® .NETMicrosoft CorporationSystem.Net.WebHeaderCollection.dllMD5=6CE9BE4BE312E9F11C7EBE9C4DC58E1C,SHA256=45253F2F0F2FE4339FB288430DEA7C453A4C1172C96A6CDAF5BACCB735C33900,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.214{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.dll6.1.8.0dnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.x.dllMD5=23E7653073FF1B702BAA239B0238E563,SHA256=63834A4FD994D55293E0D0ED594EA87B1D96B7B22C85933D2FE3D795C3865518,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.210{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.Primitives.dll5.0.20.51904System.Net.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Net.Primitives.dllMD5=DE2DEA556F7571727C45416A62215D34,SHA256=14D7A7543AB9C32EAA19A155A918D0309086984656137B390BD1A35284DEFACB,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.208{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.Requests.dll5.0.20.51904System.Net.RequestsMicrosoft® .NETMicrosoft CorporationSystem.Net.Requests.dllMD5=D749114F9D88914A6294B1BD1D37AAFF,SHA256=81848523CF0E480D9AC226E7DB10067BF7AAD5DD58C404E25ED12DAA467F4DD7,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.206{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.dll6.1.8.0dnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.x.dllMD5=D9F7CCB8B1F44756D5B05F245BBF363C,SHA256=F3DBF91D6C5863CCE3560DBC0F7A473CF3FEBEF68F6D055D871811E0762805F7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.202{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.dll6.1.8.0dnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.x.dllMD5=81B67A86CE14A218ACE16250A88DF15C,SHA256=82D5C5AA8A34239588949980714D3C0E182FE6E71CDF4C9CFCD0EE63341DAAB4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.196{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.dll6.1.8.0dnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.x.dllMD5=5B7D1F5D64217D71F177B66918835091,SHA256=B7D5714FE8C0E7B9B8B1FF4833CAFA0DA90B0D06BA4D20E7CC0CA499C01F611A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.192{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ObjectModel.dll5.0.20.51904System.ObjectModelMicrosoft® .NETMicrosoft CorporationSystem.ObjectModel.dllMD5=33B6DB420B1A6588005D3CEBC836B971,SHA256=46F23B78CE5A4FF0F8F618C8DB22EEED30194ECF20498BE4C2AF76E8F63719EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.190{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.dll6.1.8.0dnSpy.AsmEditor.xdnSpy.AsmEditor.xdnSpy.AsmEditor.xdnSpy.AsmEditor.x.dllMD5=1AAE6BB642ACF46225A9FD41F7527953,SHA256=6C9713D753C9171BABA5B91C9278518FEFBC591279CFDC57D5F12BCB2A1A5864,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.172{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Concurrent.dll5.0.20.51904System.Collections.ConcurrentMicrosoft® .NETMicrosoft CorporationSystem.Collections.Concurrent.dllMD5=36FAD7241E0CAF8948BE0E7B07DCB04E,SHA256=681760A614C73AC8C35E6A3691082452521BFF532E134D22D0E8D37BF5F80095,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.172{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.dll6.1.8.0dnSpy.Analyzer.xdnSpy.Analyzer.xdnSpy.Analyzer.xdnSpy.Analyzer.x.dllMD5=3ED0714402DF42948C21F997B2F18D9A,SHA256=E7156332466021ECCC0AEA952C1F87403DE616A551F5FBBE14625F18A059DDB8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.166{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.dll5.0.20.51904System.ComponentModelMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.dllMD5=04419015F791B988C655654AD4A5327D,SHA256=2F0D1A9D100FD54F289E69A2CD60EFB463668A790A5A89D25FE446E36614F4A3,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.164{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Extensions.dll5.0.20.51904System.Windows.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Windows.Extensions.dllMD5=945AA61B2BC85CFA83B9EC6CE150F487,SHA256=89E23A3D4C58A93796103D94595222369A5EF370A3BF360113AB538747249E5F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.162{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Xml.Linq.dll5.0.20.51904System.Private.Xml.LinqMicrosoft® .NETMicrosoft CorporationSystem.Private.Xml.Linq.dllMD5=09CEC04DCB123C7C3B787523145642D4,SHA256=56451D904548E2B7ABA2BC3D9A8AE7051EDE2BC39A6DFCAD39CFDA73C79E62D8,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.150{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.XDocument.dll5.0.20.51904System.Xml.XDocumentMicrosoft® .NETMicrosoft CorporationSystem.Xml.XDocument.dllMD5=064E73DC21144EE4B44658598B754565,SHA256=3CEDE00BAD51746321E07E75AA4B50C583E359CD78D70C52D5C898AD2583A68B,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.150{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.TypeConverter.dll5.0.20.51904System.ComponentModel.TypeConverterMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.TypeConverter.dllMD5=43665ABB5D9003BA8C20E77EC13703D7,SHA256=283FEE5DC2B2AAE112FB0D6E26ABA2A92B723F9ACAE77668C64E7C5C564A9058,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.140{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.TraceSource.dll5.0.20.51904System.Diagnostics.TraceSourceMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.TraceSource.dllMD5=5B1EDA36BB35EF55B810C31B41033D98,SHA256=464773E5BE07CBE2BE86B63164D565B8F2158B516E260D94F666164883BF2614,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.136{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeatures.dllMD5=4888512720EC76D7A7A516659BED77DF,SHA256=8E48E5A2F4259AE50A11DCDF505BEBB85039F21E9DDD59E04C018A0185177547,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.136{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeatures.dllMD5=CCE48FE96BDAFB4ADB1D4518BF87F840,SHA256=FFC69EAEC54819CD97A9AE34C088A41A26C186C31B1618C95717EABC69C0AB9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.136{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeatures.dllMD5=33DC2923F257D1D40BCDA2553E426A20,SHA256=16F43B2F55A63EEC692F2A9017962CF9FEB8E5516105B9E34597FE5D320A3A29,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.134{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.UI.Wpf.dll15.3.1711.0902Microsoft.VisualStudio.Text.UI.WpfMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.UI.Wpf.dllMD5=73EB6BCE506CB1EEA24B7EAC9016961D,SHA256=AFBB75D4627E03BBC623D431DC60A0369C5F1951DB9F5F204348923FEEFF2420,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.132{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.CoreUtility.dll15.3.1711.0902Microsoft.VisualStudio.CoreUtilityMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.CoreUtility.dllMD5=2D07B735A69CA36E3F0F38C6387B8E28,SHA256=B89BE2024F64A5EAD3BA16985C42D69C13E58F58745206B9A17B594978754713,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.132{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.UI.dll15.3.1711.0902Microsoft.VisualStudio.Text.UIMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.UI.dllMD5=EB52DE9017440E056D47952ABEBE4EF6,SHA256=BB6332D6C685F9AA6F2CA7E2FAB34671CE3138681A978615C85AAB6F8B79DF13,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.130{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.Logic.dll15.3.1711.0902Microsoft.VisualStudio.Text.LogicMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.Logic.dllMD5=02226BF39CB9BA85E52E77F9789C8F07,SHA256=62905B7867D9487B5F1DB82825904D0DFC04ACE5966BEABBFCEE193CCF1C3D8B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.128{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.dll6.1.8.0dnSpy.RoslyndnSpy.RoslyndnSpy.RoslyndnSpy.Roslyn.dllMD5=3FE2234FE1C2501E54C036E67C2F3D90,SHA256=56191939435F4A232B17A8DEB189467275DDD9ECB74FCD116F00F0AE0A2E76A3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.124{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.ThreadPool.dll5.0.20.51904System.Threading.ThreadPoolMicrosoft® .NETMicrosoft CorporationSystem.Threading.ThreadPool.dllMD5=27306EEBC447D02D2752EAFDD5C437AD,SHA256=69AE68EDDE13F0E209D86D100EF31B26561F57F945D11A91A530FFDA67C6D992,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.106{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Packaging.dll5.0.20.51904System.IO.PackagingMicrosoft® .NETMicrosoft CorporationSystem.IO.Packaging.dllMD5=48EF4B2F61F728714503F27AFCCFCCEE,SHA256=969B39A7F162D22A3D624E8FAD8396D1F8B569BA588E40FBDAF0F17B412849A4,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.102{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Validation.dll15.0.82.50463Microsoft.VisualStudio.ValidationMicrosoft® Visual Studio® Validation-Microsoft.VisualStudio.Validation.dllMD5=AFACFE5910B94215C77608666CD278B7,SHA256=4D11BD38CD3F818CE6C05909A4ACCBB7E24C1450FF17EFB9C90FD2BDCAC2BE22,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.100{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Composition.dll16.4.11.62881Microsoft.VisualStudio.CompositionMicrosoft.VisualStudio.CompositionMicrosoftMicrosoft.VisualStudio.Composition.dllMD5=595FF756E46AA13B0663B5DE23C26292,SHA256=5566740962768FE3BDAA32C53CCC5ED2B8C988FC76D663FE96D0399F649B3690,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000090940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.096{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.dll6.1.8.0dnSpy.Contracts.LogicdnSpy.Contracts.LogicdnSpy.Contracts.LogicdnSpy.Contracts.Logic.dllMD5=87AFAF725AF4F6819FF4383247D98749,SHA256=A84656DA202D4A809B9BCD73EEB0DD93F780068D2327330BC0DEE95F3B0601F7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000090939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.094{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Loader.dll5.0.20.51904System.Runtime.LoaderMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Loader.dllMD5=33183F7B0712BA4DF7C83012BFF7F135,SHA256=2EA40E6F3C44A3E4E6862658CCD2059356AF20970660112730E6DFA0AFF13696,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000090938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.145{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\CASESENSITIVETEST6b4fe88c70ef44d29a8c35b5a04c09b52023-01-17 10:33:05.145 734700x800000000000000090937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.086{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Linq.dll5.0.20.51904System.LinqMicrosoft® .NETMicrosoft CorporationSystem.Linq.dllMD5=E8CC5234A22473F7955A8DBB8795DB14,SHA256=2AF55D08EC01900616A59DE429EC8B00E188EBB16C2F7A8E2D0B3B0F9068322C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.080{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x800000000000000090935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.076{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Registry.dll5.0.20.51904Microsoft.Win32.RegistryMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.Registry.dllMD5=70E7C70FBD3409C799CEA7066750D22C,SHA256=5459E4F9A447492D3344253A2DCE86DB071420C689B826B3D58577F2B3D66E58,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.068{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Text.Encoding.Extensions.dll5.0.20.51904System.Text.Encoding.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Text.Encoding.Extensions.dllMD5=310E2A704EECFCBB318E2456C8C4A0DB,SHA256=435B7CA895BB36EFBE01F5C562851D05DD387498A550B3E3F12C2BDEB1DF2C3B,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.066{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Algorithms.dll5.0.20.51904System.Security.Cryptography.AlgorithmsMicrosoft® .NETMicrosoft CorporationSystem.Security.Cryptography.Algorithms.dllMD5=42419826F8EC1F3A48005F9EB3AEFA68,SHA256=3F3008A84A64EBB04EA2A95BB3C30F29E1A73DAA38EAF44EEEC87837162BF5BE,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.058{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.WebClient.dll5.0.20.51904System.Net.WebClientMicrosoft® .NETMicrosoft CorporationSystem.Net.WebClient.dllMD5=96CA8EE3EEAF6D39D8A3B8168B12CE2E,SHA256=1F3ABD0539374C78A517C2DF5B59A267CA473D65F73132AD8EB5EB4152BEE4A6,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.053{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Xml.dll5.0.20.51904System.Private.XmlMicrosoft® .NETMicrosoft CorporationSystem.Private.Xml.dllMD5=BAB599642433086C2EB1B4FEEDB5EDB6,SHA256=0B4104F7F3A38F8BE919B41E664E718EDA3EE6FB3B2FE6E272FD9E62FC9592D6,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.990{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.ReaderWriter.dll5.0.20.51904System.Xml.ReaderWriterMicrosoft® .NETMicrosoft CorporationSystem.Xml.ReaderWriter.dllMD5=E9490EE058F5FB1173D3A1113852349F,SHA256=127B2F9B27AE917B773BDF08A648B4664A5EE508176CBB0F988B5B344F946DF6,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.986{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=FE8A86849C7AAECEDE4C6D05DD01A15D,SHA256=7DB33FC022480980960D51D003E2602F428F867DB41DB36A2E38A194535019E9,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 734700x800000000000000090928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.984{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Uri.dll5.0.20.51904System.Private.UriMicrosoft® .NETMicrosoft CorporationSystem.Private.Uri.dllMD5=4F8B1D6EA13E44A3A8F675E9AE295A18,SHA256=5248AEF495251F20444D081E03DB1E456D501B0E28614B4088519C70AFD26D6C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.980{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Specialized.dll5.0.20.51904System.Collections.SpecializedMicrosoft® .NETMicrosoft CorporationSystem.Collections.Specialized.dllMD5=D07CBAE6132234B32B921FFE3468DA37,SHA256=3B89B21D068B245F1FE3D4FD1EDE456E81B2DC19F8FEA37E8CB85E14BAF0F2AF,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.978{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Configuration.ConfigurationManager.dll5.0.20.51904System.Configuration.ConfigurationManagerMicrosoft® .NETMicrosoft CorporationSystem.Configuration.ConfigurationManager.dllMD5=40A8E3F673ADDCE89933179A16450030,SHA256=B575F198C02A16993EB6AECD40487D8B2B785FA942A9E85430A0D1099D11771F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.968{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationNative_cor3.dll5,0,20,51202 @Commit: ed62575cb0a325b9028eddc675a05045762ec24cPresentationNativeMicrosoft® .NET Framework-PresentationNativeMD5=032701DC5A8D9682F6FE83E2870725F7,SHA256=1F2063EA6133F6152AE0060C1325A9EF5EA44B294626C4634BC9AA2F91F5B5F4,IMPHASH=1BA17ED539F0828D6EB789FA20855DD9trueMicrosoft CorporationValid 11241100x800000000000000090924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.034{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000090923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:05.032{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6185554CFD57797C43F2C7439BDA5FE,SHA256=C1CED3DE365C7F4FD43D44F5C8EB77A16666E377A13168942E2646D4B8DD78DE,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000090922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.951{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Thread.dll5.0.20.51904System.Threading.ThreadMicrosoft® .NETMicrosoft CorporationSystem.Threading.Thread.dllMD5=20E7BABF97C672DE738940C57B067032,SHA256=4B8192A1A68454CB54EAF689D0235FF8D41CA50D1AB479F26712936A58713165,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.949{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Primitives.dll5.0.20.51904System.ComponentModel.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.Primitives.dllMD5=8C418CF01717B08CBCE657505478C96A,SHA256=DA60A90A49A1FDACCB8DC4EDDD1E216CC2A9945E5D2B38085992F4C92F59C69B,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.947{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\UIAutomationTypes.dll5.0.20.52003UIAutomationTypesUIAutomationTypesMicrosoft CorporationUIAutomationTypes.dllMD5=CC62AC0056EEFBE2A9729295386F3088,SHA256=48CACDF3BB5D27E7323898454E7816B0665E30143E67FDA79E7E76007FFFB477,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.942{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Memory.dll5.0.20.51904System.MemoryMicrosoft® .NETMicrosoft CorporationSystem.Memory.dllMD5=98F0395DBABE5BB3C84F4BC04FC37513,SHA256=B0BF5CB1720BE5A4F1475B6064AB500A29ABBC95D1102C4D277121F4621C6B68,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.939{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.dll5.0.20.51904System.CollectionsMicrosoft® .NETMicrosoft CorporationSystem.Collections.dllMD5=74D83A4CB6A652D5797559D468B6ECB1,SHA256=F19E7893DD9719A53F383B04F35A86031C2ADE883EB1B93A8AA560BF3B31B3F7,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.926{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xaml.dll5.0.20.52003System.XamlSystem.XamlMicrosoft CorporationSystem.Xaml.dllMD5=FE1FFE711BB3044464204E19A314618E,SHA256=E3DE85558EBA1FDFDCE59BA271E9B0DC0688B3F9E1A6453A4F7740758BA9433D,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000090916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:04.910{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.dll5.0.20.52003PresentationFrameworkPresentationFrameworkMicrosoft CorporationPresentationFramework.dllMD5=7A991EBF5EA07A2CBE6E96F370BCF028,SHA256=1E5908DFFEBDC501A5CC37F64F9104E6FE241DB2FCEEDFBB6A4C3D0285CEB337,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 354300x800000000000000069086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:05.075{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50346-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:06.335{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED4D34EB5798D6EC71FEFA9D0B0BA4E,SHA256=2FB7F7BF5763D8F0F80D31500616639AFD7B1A9BAF9757587414641E0DBDCD4B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.911{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\dnSpy-mef-info.bin2023-01-17 10:33:06.911 10341000x800000000000000091050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.472{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.472{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.472{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000091047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.382{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.CSharp.dll5.5.1ICSharpCode.NRefactory.CSharpSharpDevelop/MonoDevelopICSharpCodeICSharpCode.NRefactory.CSharp.dllMD5=BB9B505E8DE119D455B960DCDFD1379B,SHA256=9E5990F9B907E29A1B3CADECC278DF05F27EB0E6130F135BEB4B0152CCF2E9D2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 11241100x800000000000000091046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.423{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.423{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E289DA01AAC82B247081AA99B0BC2F2,SHA256=C442808470C9F75E2050A2C2CEB507F289142B90B73117FAD9842E3BF178074C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.320{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.310{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000091042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.290{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000091041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.290{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000091040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000091037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000091036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000091034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.320{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.290{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x800000000000000091030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.290{F172AD64-6CE8-63C6-1000-00000000B002}3566744C:\Windows\system32\svchost.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.290{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.290{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000091027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000091026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000091025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000091023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.280{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 734700x800000000000000091021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x800000000000000091019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000091018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000091017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.270{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000091015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:03.202{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49580-false10.0.1.12-8000- 734700x800000000000000091014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:06.144{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 23542300x800000000000000069087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:07.450{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1804B7B663835402CE022733F0E4DA8D,SHA256=F406D073C525EB9171E0EAC05182A312BCD4CB86E70BF8F28DF8F585A8DA12B2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.958{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.Linq.dll5.0.20.51904System.Xml.LinqMicrosoft® .NETMicrosoft CorporationSystem.Xml.Linq.dllMD5=EF46C718AD814D91A6E6DB5FBEB694B6,SHA256=8FF616B762BA70B8CE83DF54B17670744B3520F74DDE741E774C4C743954AEEC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.958{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemXmlLinq.dll5.0.20.52003PresentationFramework-SystemXmlLinqPresentationFramework-SystemXmlLinqMicrosoft CorporationPresentationFramework-SystemXmlLinq.dllMD5=B2DD1FD47D7379F9D0E75B9E277C38E7,SHA256=88042B38B08A983BFAC7E3056CAD41C3AEF10E52EEBCF6FEFE375E5954362ECA,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000091095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.892{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.892{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.873{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Controls.Ribbon.dll5.0.20.52003System.Windows.Controls.RibbonSystem.Windows.Controls.RibbonMicrosoft CorporationSystem.Windows.Controls.Ribbon.dllMD5=26161490E84D538E962CA7ABCF3CF516,SHA256=C1288D2AAB9C29933C80FA345539AB1EA4C14BACDCD83067F0846E5F92FE9103,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.868{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\WindowsFormsIntegration.dll5.0.20.52003WindowsFormsIntegrationWindowsFormsIntegrationMicrosoft CorporationWindowsFormsIntegration.dllMD5=3DF8BA758D0AFB16AB3371325DD10645,SHA256=41A5F6E455349298612015D5A24F1660FB42D433C7F613C09D53C77820FA30F5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.850{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=807D0265EEB480488FD8F5BD31941489,SHA256=865D0A59E86E52F514BD1A782575CAD36100D7723595E566DD200B538D8B3A9E,IMPHASH=D3851D2627EE20865D40A6CE93CA8A17trueMicrosoft WindowsValid 734700x800000000000000091090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.822{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=F44AB7ABA7ED141A36E5C4F81DB43B6E,SHA256=C42607C98E4580B901671FF3E343902C1F05D97A7FE2E85A7920B55D181C1BD3,IMPHASH=4453AC692845F7F4429D6DD3ACF00D0EtrueMicrosoft WindowsValid 734700x800000000000000091089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.812{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=A6AC7569771A9D2B9DDB8839076D2C15,SHA256=7D8F95AF6D10F2F4086BF2ED3579E031BD991939816EA2CA162AA4BEF0243ECC,IMPHASH=3C84DC322121BEDBDD23AD37D5500FFCtrueMicrosoft WindowsValid 734700x800000000000000091088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.802{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=71488B2A3FEEE42631F968B08ED0503B,SHA256=2693217FA5F2A259F10D580B4AB95787ECB30B2DF16EF98631EF9D4B3DC62564,IMPHASH=37239F56D3864617C4EFB2A5F460F097trueMicrosoft WindowsValid 734700x800000000000000091087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.782{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=D238A301AE8EFABD029CE5C9B7777BF0,SHA256=FBB2B864831D5F0F71E1D0167B4EDD4FACB62BFD7913C465F4E291B868120163,IMPHASH=D87E30B18F53FE55C5B018AF0882ADC7trueMicrosoft WindowsValid 734700x800000000000000091086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.772{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 734700x800000000000000091085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.758{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480,IMPHASH=A92DB75F144155161CE7994504E7528FtrueMicrosoft WindowsValid 10341000x800000000000000091084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.768{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+268c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.768{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.758{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.758{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.758{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=55D5450C85C0A0DE8F2A22F2C0C816AE,SHA256=3CF7B03BEB7C47157C47EACEBFB731096468D1D25FF6784485EFD2FB806C4C5E,IMPHASH=62E80DE569E3D2B9A30E859918635AC7trueMicrosoft WindowsValid 734700x800000000000000091079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.655{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7,IMPHASH=46FAD5286B22154C348CEBCE1107AFECtrueMicrosoft WindowsValid 734700x800000000000000091078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.653{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=58D7CC486FB757A96482F89A6D2D9088,SHA256=BA035B04C784402F69834914AD787E8DB854A7FB8B244AE6AAF54689DD4AFD09,IMPHASH=E8A9B749DD6516BB6E8D03D2472AFB9CtrueMicrosoft WindowsValid 734700x800000000000000091077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.622{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemXml.dll5.0.20.52003PresentationFramework-SystemXmlPresentationFramework-SystemXmlMicrosoft CorporationPresentationFramework-SystemXml.dllMD5=CC25620479DC857860BF0F43C668A3C3,SHA256=878E69B60E579A91BEC8CEDAA5AA2B1D63E06B1C62003E2462319955AD56CB16,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.582{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Claims.dll5.0.20.51904System.Security.ClaimsMicrosoft® .NETMicrosoft CorporationSystem.Security.Claims.dllMD5=1A9269B98BBDD07A02A51481AC8137CC,SHA256=75A75E52F1EB50E80F1A959A182AE42D329C0EF5FC68C41815925ECD50A55E90,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.582{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Principal.Windows.dll5.0.20.51904System.Security.Principal.WindowsMicrosoft® .NETMicrosoft CorporationSystem.Security.Principal.Windows.dllMD5=22D6E25CDA44D43DE77663A9D21319DB,SHA256=362F2219BD79AAC6D13996D4622665E83C50831D694DCF30BCD7D0099F7C3A78,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.572{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Images.dll1.0.0.0dnSpy.ImagesdnSpy.ImagesdnSpy.ImagesdnSpy.Images.dllMD5=1C028A62AC48FA4D993385061B00B5C0,SHA256=F09AE72B89B2CCEE1D06A6108244E2C48A17214DC068E3FBBACDBC6781FBBF1B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000091073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.557{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=7294744A8618ADCFB97F6CC9B06781BF,SHA256=9CBA204AECE064C4E8AA5C1E8D7C17EA054A47B315D8CEEFA1C206395E5E32D7,IMPHASH=5CB0004DB7090241A0C06F1853D02144trueMicrosoft WindowsValid 734700x800000000000000091072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.531{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=CAA396B0AEB8FEC6D76D0F2A4FF5DD68,SHA256=9024C0BB66A211AAD601D2565D6298257759E9C76A9A36E8067A137A68C654C0,IMPHASH=B1175218A8304DF3BD6BF43A45EE8073trueMicrosoft WindowsValid 734700x800000000000000091071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.496{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=ABB61EA7CC462930FB56C2D004A5B06C,SHA256=7C1525EEFF5357013C68BDDAB2F255E40C8D82A43EF05F374B8DE7D8B5247711,IMPHASH=B1A124F5ECF68D9AFF86BEE7BFF328D4trueMicrosoft WindowsValid 734700x800000000000000091070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.496{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90,IMPHASH=158FC41AF95869DAD152F6AD98D3B1B5trueMicrosoft WindowsValid 734700x800000000000000091069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.496{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=4D9672F9374964585D3965877B01C4FA,SHA256=40C88D068C11E6FC8025932F443E682568432C608C1FAADC7BA7ED1C3C864CFE,IMPHASH=C9B9759DF9461222DB59B46270E80943trueMicrosoft WindowsValid 11241100x800000000000000091068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.473{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.472{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7838419F9B6870BD11C52812336182E2,SHA256=372EEF23EF0FC5AAD1D43D57007D109DF4AA6067519D26A65EC6299BC8EB4214,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.427{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Common.dll5.0.20.51904System.Drawing.CommonMicrosoft® .NETMicrosoft CorporationSystem.Drawing.Common.dllMD5=1305BF48C126409D633938DAB8D07D6E,SHA256=D74451856C6979B2D07592557B73724DA4ABB44A736CFBB515DBA58679CBDF08,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.417{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Resources.ResourceManager.dll5.0.20.51904System.Resources.ResourceManagerMicrosoft® .NETMicrosoft CorporationSystem.Resources.ResourceManager.dllMD5=F4C03555609A683991B3992FFD42E5F6,SHA256=92DB3A35B7F4191674AD7E15F464D4EBD8EDEC6372A3EEDBB2FA257EFB5580FD,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.383{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Aero2.dll5.0.20.52003PresentationFramework.Aero2PresentationFramework.Aero2Microsoft CorporationPresentationFramework.Aero2.dllMD5=0FE944D1C24C6219A9A6AD514ECFA83E,SHA256=4445B4AED4ABA74039EF071E786C6196F46EF8BDE31491913E9A36FB17441834,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.369{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=95A1BA1B908C04EE471AAB365D557FC4,SHA256=5EAFA5C8125CE0A4C69238F28E94E9DC96ECB2474CF429A1BA4C56233D32EBFE,IMPHASH=781D96AFC4A43989716F0476826C7E94trueMicrosoft WindowsValid 734700x800000000000000091062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.345{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d9.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Direct3D 9 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D9.dllMD5=17C406D38C3989FF3BDB17D08C1991CE,SHA256=CB991C87BEBCC39F14696409BA99F1B76FE59ABE7F4CE3A3C32660BD40528676,IMPHASH=812DD928B5D288A053A41C64D9CF80E9trueMicrosoft WindowsValid 734700x800000000000000091061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.267{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\UIAutomationProvider.dll5.0.20.52003UIAutomationProviderUIAutomationProviderMicrosoft CorporationUIAutomationProvider.dllMD5=4C687F9CDF810973F2627B67E31732E8,SHA256=D3ADDFD5514F3B7E25C337061F4C936294C927AFE5D595EF909F8F7F7B195DCC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.182{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Core.dll5.0.20.51904System.CoreMicrosoft® .NETMicrosoft CorporationSystem.Core.dllMD5=4136EAB2FBC7792DB2D3EB6B6B3BE1DD,SHA256=54D35F55FA6F0EB660857AC848465E4B2BD18243C00F17A8939A7EC3F0379BF6,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000091059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.157{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.143{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Primitives.dll5.0.20.51904System.Reflection.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Primitives.dllMD5=2A70DDE5C3BC3EA14D726B14E69C07C5,SHA256=DCA52587215CF63E868CB332D0C7B9327A49979072AFB4CC183F9B107F084838,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.142{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.ILGeneration.dll5.0.20.51904System.Reflection.Emit.ILGenerationMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.ILGeneration.dllMD5=4999F4FF1E0DA6D27039152F860D71F7,SHA256=A08F6798B5DF690BBB13A3B84423E273A0EEB60AB821A61ACAC03C238D21704F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.132{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.dll5.0.20.51904System.Reflection.EmitMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.dllMD5=9C6C9CC23B208C755634A8BF897ED1C7,SHA256=CA9832277861A74D7DCA3D82F3B84FF2B8F03306A7FBB53381B836B732AA6AED,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.112{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\D3DCompiler_47_cor3.dll10.0.19041.1 (WinBuild.160101.0800)Direct3D HLSL Compiler for RedistributionMicrosoft® Windows® Operating SystemMicrosoft Corporationd3dcompiler_47.dllMD5=2F2E363C9A9BAA0A9626DB374CC4E8A4,SHA256=2630F4188BD2EA5451CA61D83869BF7068A4F0440401C949A9FEB9FB476E15DF,IMPHASH=131726669BC1E34B495EDB4198D0ACA3trueMicrosoft CorporationValid 734700x800000000000000091054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.082{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\wpfgfx_cor3.dll5,0,20,52003 @Commit: 9e81b0885121e9958e48895ae48be9639a396528wpfgfxMicrosoft® .NET Framework-wpfgfxMD5=5D5BB2B475001CACDABE0ADB055A7D26,SHA256=B6971EF4D0588C755308C7576E1AC47EF22C04B0592B1C868BE9232D71606BD2,IMPHASH=70F1A0D363621ABFF560EC43176FC514trueMicrosoft CorporationValid 734700x800000000000000091053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.057{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.EventBasedAsync.dll5.0.20.51904System.ComponentModel.EventBasedAsyncMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.EventBasedAsync.dllMD5=DB46E74D782B81F9FAE875E86AD893DD,SHA256=EB4B605875637B11EF5C3E85BE6F92972F68C1341A2EF3856A145E05F47FFAAF,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:07.001{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.SystemEvents.dll5.0.20.51904Microsoft.Win32.SystemEventsMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.SystemEvents.dllMD5=857F1C305D06A0D09577C60F0EC43C2D,SHA256=01B6C06A77E530D470504AC673308A958DA2D6753ECB90F6211D11074A24AC8F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.739{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Tools.dll5.0.20.51904System.Diagnostics.ToolsMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Tools.dllMD5=BC52E1FB72C18B9CB10CF961CC3175CB,SHA256=7277320963BD7C232F78BE5AE32A1B830C1A06BD77702AA2CF48F0F955E2DF27,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.729{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Extensions.dll5.0.20.51904System.Reflection.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Extensions.dllMD5=F7A9E5782B1C494B30D97CD6E5004A9C,SHA256=4BB7637A331496FE5148C273A9E0A0B4CCFB8A828EE8F65D747DD59720846F0E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.694{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.Extensions.dll5.0.20.51904System.Threading.Tasks.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.Extensions.dllMD5=F455CE03C6F3E9DC44151F0F1E517010,SHA256=755548A49E1E7BE7D893C935174F9B00D969E5462833377F4EBA931040F10E8F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.684{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ValueTuple.dll5.0.20.51904System.ValueTupleMicrosoft® .NETMicrosoft CorporationSystem.ValueTuple.dllMD5=A763C9246A43433D508DE8714252EB93,SHA256=20585542D9B7EA78D32C0A9708B0BC55F5A40A0E145207417D3DC22E11C0C12F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.662{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.AttributedModel.dll4.6.24705.01System.Composition.AttributedModelMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.AttributedModel.dllMD5=24A0C8CCE8C132DF82C9B9C1AE834D05,SHA256=04D8EB1419E053FB7502DD952F3977F75B27DEDE5418D5F87D21DE16ADBD8313,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.661{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.Runtime.dll4.6.24705.01System.Composition.RuntimeMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.Runtime.dllMD5=D18C354A78688D6A3CF68A0567AF40E3,SHA256=C419E3D51F9EEFB1F6FC0FB7CCF9B5AC5CC4B75FA75131D4AF0C74252914EB10,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.661{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.Hosting.dll4.6.24705.01System.Composition.HostingMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.Hosting.dllMD5=D84515EE702052020EAAB048C0C221E3,SHA256=7A26E95E0F75E803ADB555ECFD02BCA59A533A4855DB6C861A3DEFB619DCE813,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.659{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.TypedParts.dll4.6.24705.01System.Composition.TypedPartsMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.TypedParts.dllMD5=B91887BFCA35E50CCE9F2D7102C88706,SHA256=2C609BED3BBD2BE810471E31E36B12CB321A50FC2541E8F29C1F59C8CF869C41,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.656{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.Features.dll2.10.0.0Microsoft.CodeAnalysis.VisualBasic.FeaturesMicrosoft.CodeAnalysis.VisualBasic.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.Features.dllMD5=C57B00A9F0C44758524D51D0108C307F,SHA256=C589DFE8AE495B154817DDB3D459A128B0CFE49D61E078D16682C7F38BF01279,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.646{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Features.dll2.10.0.0Microsoft.CodeAnalysis.CSharp.FeaturesMicrosoft.CodeAnalysis.CSharp.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.Features.dllMD5=D0B6F0DF27507B3321E57B04B15CCCD6,SHA256=FD7C989836FACB6341057062BB87AE35ECCE722DE3329CC63930BC0D875DC1F8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.628{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.Workspaces.dll2.10.0.0Microsoft.CodeAnalysis.VisualBasic.WorkspacesMicrosoft.CodeAnalysis.VisualBasic.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.Workspaces.dllMD5=5EC4B67A8ACFEF25DD46D95BE2AEFE9E,SHA256=DB71B2CFE00285C76BCCC26BD1489ECFD36521767546D274E9C38A3CE705386D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.628{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Workspaces.dll2.10.0.0Microsoft.CodeAnalysis.CSharp.WorkspacesMicrosoft.CodeAnalysis.CSharp.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.Workspaces.dllMD5=7A56B5CB02DA5B7208706EE49ABD9D43,SHA256=310EBDFCE5F3FFA522FDCE334FAE8938CB1DB3FA887C4E7218E90E78C7A90E67,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x800000000000000091147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.620{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.Internal.dll1.0.0.0dnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.Internal.dllMD5=284C6392F85C2DC5CCA29B2F674569D0,SHA256=D993CC3EA3CA58726D67E93D2B317856CE18EDC562855719F8E25BF19CFC43B0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000091146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.619{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.Internal.dll1.0.0.0dnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.Internal.dllMD5=7ABAEBDC2348AA1BE6AA21353D275E93,SHA256=9055B592C29C5AB9D58F4815CFB7A6006543EAD6A76A5A601256B4F3210C1037,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000091145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.602{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.dll5.0.20.51904System.ReflectionMicrosoft® .NETMicrosoft CorporationSystem.Reflection.dllMD5=5801343FF9906C8C0870078E446EDF84,SHA256=344913CBF6CF7E9329AA0E1CAAD54165BCB3E76D4DE09CF75E7A35CD999ACC36,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.593{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Metadata.dll5.0.20.51904System.Reflection.MetadataMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Metadata.dllMD5=CA7466D9F6F3460A2669EB4DE896CCDE,SHA256=F2D4E528D759869942010AAA4D5FE7CE8386A05F5907E394AA7F248B91D3A5A7,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.584{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.dll5.0.20.51904System.IOMicrosoft® .NETMicrosoft CorporationSystem.IO.dllMD5=E1CBA4B34E6F2D138365D7C877401190,SHA256=2B065E31129B5EA260EB621867F73CBE38F960A56C4998CF265DEFF1466EE58E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.576{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.dll2.10.0.0Microsoft.CodeAnalysis.CSharpMicrosoft.CodeAnalysis.CSharpMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.dllMD5=38343F3D8108EED296FDF5AA19102E20,SHA256=75E17C4AA3D0374ECF1D04C2DE449F6EEE9F13CF5F291BB8C8C0D170B1CEA4C8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 11241100x800000000000000091141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.580{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\startup.profile2023-01-17 10:33:08.580 734700x800000000000000091140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.532{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.dll2.10.0.0Microsoft.CodeAnalysis.VisualBasicMicrosoft.CodeAnalysis.VisualBasicMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.dllMD5=B50DFCC8CCC16FDDE20D2105C3AC20AC,SHA256=21AEB6DB0ABFAA7FF6D0EB7F6EAA65708B6AA7AB08982504EFD42D0A6CFAD327,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 11241100x800000000000000091139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.503{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.503{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291D0449BF765B4BCD266900AB61A5DC,SHA256=0D951E28510DB211258AED358E59C0FB8AEC6A29DD7A1EDBD50EA391B581EEB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.501{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.501{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6DD37133E50A514F3E93DF12B8EF08,SHA256=836389FF1C63CB14CE4120C0CFAE88DF8B12B8874490583D7AA3DC7EF07863BB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.469{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msctfui.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)MSCTFUI Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTFUI.DLLMD5=2E0765561AC0715D03B2EAF4ACE62C5E,SHA256=F938D00A8FF9A1C832D0E50697A613D415A2B11988719E591C696D04027B189B,IMPHASH=46539B781BADC719A076E6CD82C5EF4CtrueMicrosoft WindowsValid 23542300x800000000000000069088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:08.544{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34F26BFC8AC401765022593EAB80B6E,SHA256=B38B1F79E531FA32D594AE118B35F914F5D6FEAE720BFE79CB44F100D2A9D5D3,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.291{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Compression.dll5.0.20.51904System.IO.CompressionMicrosoft® .NETMicrosoft CorporationSystem.IO.Compression.dllMD5=F6AAD484A126ECA9E04272C05F4E0FD2,SHA256=CB592781CBB322807A7AD81138D54AD233239A232D3051BDC9F7DDED3627188E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000091133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.271{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000091132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.271{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000091131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.271{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000091130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.165{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.164{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.162{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.162{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.162{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.161{F172AD64-7634-63C6-B901-00000000B002}49005460C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.157{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.154{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.149{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.147{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.145{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.140{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.136{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.135{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.133{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.128{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 734700x800000000000000091114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.120{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Text.RegularExpressions.dll5.0.20.51904System.Text.RegularExpressionsMicrosoft® .NETMicrosoft CorporationSystem.Text.RegularExpressions.dllMD5=E106F6E8F87D8F2DDA2A6E62B5708C19,SHA256=34790BF37046893AC8876A51A604CE198BB8D7734CD1335AD899B97445E24BD6,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000091113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.119{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.115{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.107{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.100{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.093{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 734700x800000000000000091108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.061{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x800000000000000091107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.062{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x800000000000000091106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.062{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 10341000x800000000000000091105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.065{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 734700x800000000000000091104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.059{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539ED,IMPHASH=A2681C42106048F87359D11744AD087BtrueMicrosoft WindowsValid 10341000x800000000000000091103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.057{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.051{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.044{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.037{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.009{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.007{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000069089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:09.632{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57AF5AA8F6D8E5E9608C2C7318BAE62,SHA256=C5C617C87EB6C2EC3ED8792CD0206E5D1E5704EB88B95CC41BA5DFAFB5C703A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:09.554{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:09.553{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AD2D12A5E130ADFE9297C3E8D95652,SHA256=F0E574CF100894FE52CFC0EDE1D0FC9EB2D02A479558755353F8DA4F2714DA54,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:09.050{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.Lightweight.dll5.0.20.51904System.Reflection.Emit.LightweightMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.Lightweight.dllMD5=29AAA2E5C34A6CE437D1124396A784F5,SHA256=B04381E8584425D09B36868AFC0A826D07FCC5A1686CCFAE4FEE6966DF747DA5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:09.046{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Linq.Expressions.dll5.0.20.51904System.Linq.ExpressionsMicrosoft® .NETMicrosoft CorporationSystem.Linq.Expressions.dllMD5=0EEF04CC1ACEC5ED7E1D78748624EB14,SHA256=CAC9C43CCE6BDD5508F46F6A2EBFD7F5F0626A1708799EFF20CE2264BE60DC0A,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 23542300x800000000000000069090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:10.834{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D0DD51D947412181AA33BA6E5BCCBC,SHA256=3C1BFC0551B668C8364250F60CB5E6A0137F9BF6E8A28ED3A6FAA9F4C4B261D9,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.945{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Primitives.dll5.0.20.51904System.Security.Cryptography.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Security.Cryptography.Primitives.dllMD5=1C98BB2F1E5B990982DA77235683EE1E,SHA256=45260C6669D49F682EA5D1922B14F6BFAEA3AEC1F1D689C67B674755A26A8F72,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000091174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.586{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.586{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FA67F8C98F77E44ECDF6DA02166931,SHA256=6B4E00DF9C51C3248B2BE32FAA0CBA48A8181E4C900EEEEBF6B28E176EA35AF8,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.577{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Numerics.dll5.0.20.51904System.Runtime.NumericsMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Numerics.dllMD5=217E6FE2D8AE4D93AE633C033407068D,SHA256=AA8E046E584BF1800F108E7B3AD051E6AB1807EC8A0DF5B787F66C825CD30451,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000091171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.497{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.495{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 734700x800000000000000091169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.340{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 354300x800000000000000091168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:08.320{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49581-false10.0.1.12-8000- 10341000x800000000000000091167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.186{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.183{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.178{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:10.166{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000069091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:11.917{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5350C52269F580B818AB4131B667C10D,SHA256=6EA397E86026F459E4772BD4332CD05FF8C772B7670F78DB0206875039523CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.185{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7962-63C6-7902-00000000B002}5520C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.177{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.174{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.172{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.170{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.167{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.164{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.161{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.159{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.156{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.154{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.147{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.146{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.127{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.120{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.117{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.116{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.114{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.111{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.110{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.110{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.108{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.094{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.085{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.080{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.041{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.034{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.022{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.017{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.016{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.013{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.010{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.008{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.005{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.005{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.002{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000091176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:11.002{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 11241100x800000000000000091215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:12.577{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:33:12.577 11241100x800000000000000091214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:12.115{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:12.115{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5BF82FB23817091A79CE864AAB3C65,SHA256=09CBF6B73798911B94A56A8A58ED1697E6112E39733336999BBDBFA431292F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.486{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8EA743D987734F257A8B2C73BBABF1D0,SHA256=FDC7E0B968699B8770286D9BDAECE777DF6BA980E7FF2165D52F8727FBFC6251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.381{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.381{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.381{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.339{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:12.340{F6EEFE7F-7968-63C6-5002-00000000B102}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000091217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:13.201{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:13.200{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E30CCF011C068B3A8EF47C3581D047,SHA256=774E0C376F18A3CB3766EEFF7EF4AE6F9BB376619C004447C16E1E5ED243ECAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:11.059{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50347-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.465{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0363C83E7AC46F4061F69F0CC9FC504B,SHA256=9E220671F35DB95EC1EEB8015C9CE37044653F389B98C19123EB7AE906F10FC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.397{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.390{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.355{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.344{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.341{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.309{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.263{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.256{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.255{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.253{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.252{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.249{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.244{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.238{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.236{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.231{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.224{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.221{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.208{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.200{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.161{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.154{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.147{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.140{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.132{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.127{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.113{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.099{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.094{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000069112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:13.017{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DCEDD0009D62547316636B1B6A2A16,SHA256=D0EAB4A9D79971054F8CFAA01890CEA08DC3C8F89CDAF0BB03471D9D2E97E96E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-796A-63C6-5202-00000000B102}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-796A-63C6-5202-00000000B102}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.901{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-796A-63C6-5202-00000000B102}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.902{F6EEFE7F-796A-63C6-5202-00000000B102}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.636{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1EA6C6DE84F9B2F9004531FFAB3EAB46,SHA256=C2C98E2C6E918F49E425799A147BBB256E11C860CCFAF1BB4A84598A57BAD7F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.374{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.374{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.374{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.235{F6EEFE7F-796A-63C6-5102-00000000B102}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:14.232{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9A02F8EE997059E65608B87D8AA7B5,SHA256=7D5FB4DAE2B7EBA0C743E5CA5550E46A1D972F20726F89DFE6EE91A3D046E2CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:14.230{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:14.230{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026B6CCC7780D0E33ED5378DB404A799,SHA256=38D746607D8B6130461808D50155F09E45380B9B3C3AD0F8766351A8E18B9ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:15.354{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F35613A82D0433AC5CFD63ACB3FD888,SHA256=870759C9C4A0E1C533C59D348038A410ED1F90E45C9F6E38A114D4A3DBC7F0EF,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.964{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.964{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.964{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000091247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.964{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000091246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.964{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 734700x800000000000000091245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.954{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x800000000000000091244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.954{F172AD64-6CE8-63C6-1000-00000000B002}3566744C:\Windows\system32\svchost.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.954{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.954{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000091241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.954{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000091240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.954{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.954{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.954{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000091237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000091236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000091234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000091232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000091229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000091228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000091227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.934{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000091225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.919{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.910{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x800000000000000091223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.909{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.909{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.272{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:15.272{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABD4EE24D8AEEE39CFA77B86453B6AB,SHA256=9C1A7FED5A2E883E9B7501B41D49C5C13B88CF42D3EFEE2E8664457BC9351472,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:15.104{F6EEFE7F-796A-63C6-5202-00000000B102}4048660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.980{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9B,IMPHASH=02A49231FBD4D14396A5A54F65097366trueMicrosoft WindowsValid 734700x800000000000000091264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.980{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=B7BC15806713896B2EC8BB84A13A3FE0,SHA256=B963B89075098B3D38D40BB0D4164D7E50BEBD4F784ECAB0000D733A2CB14A85,IMPHASH=B6C77CE880E576162C4E4F9C5AF244ADtrueMicrosoft WindowsValid 734700x800000000000000091263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.970{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CSharp.dll5.0.20.51904Microsoft.CSharpMicrosoft® .NETMicrosoft CorporationMicrosoft.CSharp.dllMD5=68434F91137349C05AEAE000F3EA29B8,SHA256=1BD1F10D817EF2ECB3CC157747527FA5F3DB7239377C2EE3CA0F06D7B3775800,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000091262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.925{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000091261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.925{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E9600EDDA915C67F42315B4911E51DE,SHA256=9057EEFAD90385B4108BC7CB55559CD08BC8829A8763C9BEC285B97FCB8D7208,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.871{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.871{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BA17D0360DE2CF085FA02E56B2D6BE,SHA256=DC3ACFA68E87F86E14029731F8278750F701AD5E41B79118E4E065ACA48A2695,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.840{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.840{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.840{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.839{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.839{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.839{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000091252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:14.315{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49582-false10.0.1.12-8000- 23542300x800000000000000069204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.435{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62D9D8D19BF50B985ACE5770B1422CE,SHA256=8B48F869D1DEA7344EED3CF5B3F97CD0281E14FF871958B57412B0115D9B0B65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.419{F6EEFE7F-796C-63C6-5302-00000000B102}36963880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-796C-63C6-5302-00000000B102}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-796C-63C6-5302-00000000B102}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.230{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-796C-63C6-5302-00000000B102}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.231{F6EEFE7F-796C-63C6-5302-00000000B102}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000091251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.044{F172AD64-7634-63C6-B901-00000000B002}49006368C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000091276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:17.943{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000091275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:17.943{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000091274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:17.943{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-796B-63C6-7A02-00000000B002}1408C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000091273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:17.665{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:17.665{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEFA32658F33150EBD7A7BC6E710D15,SHA256=837F2E749C29DBE819BC84DCC65FB2E1D206CA4FAD35AB934A1F059B9FC5E053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.896{F6EEFE7F-796D-63C6-5502-00000000B102}18281048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-796D-63C6-5502-00000000B102}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-796D-63C6-5502-00000000B102}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-796D-63C6-5502-00000000B102}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.724{F6EEFE7F-796D-63C6-5502-00000000B102}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.519{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6CF7B09C164B136CD54F998DC925A4,SHA256=3395834B915224DFB0091DC66296285EE6A84FEB8312009F8BE23EB1A7124BC5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:17.364{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.dll5.5.1ICSharpCode.NRefactorySharpDevelop/MonoDevelopICSharpCodeICSharpCode.NRefactory.dllMD5=599AC99E9726762A0430CA3C3B77F3C5,SHA256=7AE880504DB44B9811D57C615E42107C2AACE31A2683A83BFAD2E00F4E03BEEF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x800000000000000091270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:17.345{F172AD64-7634-63C6-B901-00000000B002}49006368C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000091269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:17.345{F172AD64-7634-63C6-B901-00000000B002}49006368C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 734700x800000000000000091268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.990{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5582 (rs1_release.221130-1719)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=706B329C801ED1E354B438DFCDFA0AD8,SHA256=83D4CDFD67A0F52AF2CA4B51D10800C76BB178BC5AAECFD1FEAC70826072A23D,IMPHASH=D5518C58E8C2DA7A25CD328B98086751trueMicrosoft WindowsValid 734700x800000000000000091267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.990{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x800000000000000091266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:16.980{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=BDE015F19B4508F5812D6F215AAE23DB,SHA256=BE452B19485B5277BC32F7044496880D9AEF38679C9FFCCF981FFE89AAE93C16,IMPHASH=C0A75BD240FCBDE29B7057900B03ADE8trueMicrosoft WindowsValid 10341000x800000000000000069218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.425{F6EEFE7F-796D-63C6-5402-00000000B102}47684212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-796D-63C6-5402-00000000B102}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-796D-63C6-5402-00000000B102}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-796D-63C6-5402-00000000B102}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:17.222{F6EEFE7F-796D-63C6-5402-00000000B102}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:18.838{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=828A9C70158C817F971418092CB2181C,SHA256=BFCBD4E7C4A20A14514EDD4C00F10C0D180AB1E120740E7D1D5DC7109E9C2AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:16.221{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50348-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:18.614{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7201DD90FEA49D717184C1BF4484E966,SHA256=84CA18184A682C6FDB9BD8EFF6D5866963DAB02BAD8D260A5AE6F637B092EA7A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:18.685{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:18.685{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4100425199AFB9E7BF475F998AC8EB3,SHA256=BB6EC7956902118AD9B55F8459725D390E5DA7A1F479452E1123ACC81021567E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:18.193{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:33:18.193 11241100x800000000000000091281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:19.832{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:19.832{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB0FDAF1C5434047FB7C7B19473E661,SHA256=771648A5625F16711074196ED66E305A26C37B0693082C03AD5AD38A3B358FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.738{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9A146AAAB020EA385A88FAB433A73D,SHA256=3418DB7F8FD1C7C4C282036C96448BBF09C726AC74CD66286F6DC22E3F7E9BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-796F-63C6-5602-00000000B102}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-796F-63C6-5602-00000000B102}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.463{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-796F-63C6-5602-00000000B102}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:19.464{F6EEFE7F-796F-63C6-5602-00000000B102}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:20.848{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE72A3440523DE84471D824186738A42,SHA256=23A48BACA5C2FD297ED8F289F800E3DB6B292B3285B81EB72FACFD2713C1D948,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.781{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\crashes\store.json.mozlz4.tmp2023-01-17 10:33:20.781 11241100x800000000000000091333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.596{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\startup-roslyn.profile2023-01-17 10:33:20.596 734700x800000000000000091332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.461{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000091331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.469{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000091330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.463{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000091329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.250{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000091328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.248{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000091327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.241{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000091326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.238{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000091325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.236{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000091324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.235{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000091323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.227{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000091322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.227{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000091321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.216{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000091320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.213{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000091319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.213{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000091318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.208{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000091317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.207{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000091316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.206{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000091315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.205{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000091314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.204{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000091313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.203{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000091312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.201{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000091311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.199{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000091310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.196{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000091309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.193{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 734700x800000000000000091308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.242{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000091307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.234{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000091306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.221{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.221{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.221{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.221{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000091302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.220{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000091301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.205{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.205{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000091299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.205{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.204{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000091297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.197{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.197{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000091295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.196{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000091294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.196{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.196{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000091292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.195{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.194{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.194{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000091289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.193{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000091288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.193{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.193{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.193{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.193{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.192{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.192{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.056{F172AD64-7970-63C6-7B02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:20.008{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-051MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:21.012{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.902{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000091450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000091449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000091448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000091447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000091446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.845{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 734700x800000000000000091445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.913{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000091444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.913{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000091443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.913{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000091442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.913{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000091441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.902{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000091440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.902{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000091439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.902{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000091438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.902{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000091437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.902{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000091436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.902{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.891{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.891{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.891{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000091432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.869{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000091431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.869{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000091429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000091428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000091427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000091426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000091425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000091424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000091423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000091422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000091421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000091420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000091419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000091418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000091417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000091415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000091413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.853{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.847{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000091411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.847{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000091410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.846{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.846{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.846{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000091407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.845{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000091406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.845{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.845{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.844{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.844{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.835{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.835{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.694{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000091399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.691{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.691{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1E5E918EDF74883CEC525AB633600C,SHA256=24F8A4BB3D8BCA449B1C33F9846126A89B69BDE50B9C07E266A9DAB1C1B6ABB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.691{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8DF8A4D34A1FB522FB938B87D6346A03,SHA256=993561E1F3369286C20B9A338F60594E49410519BBEA6E5BF55E4466881C0CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.436{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.241{F172AD64-7970-63C6-7C02-00000000B002}53285732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.241{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000091393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.241{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000091392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.171{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000091391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.170{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D251107485476B9E755472435310D5B6,SHA256=A371E3589E29383C686F9AB88D4E742DD3EC4C229F304DFAB1A77020642B3623,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.160{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.160{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173F0F3558EA79289BAF7DA5FF0B27B6,SHA256=C977500F0F0D2DA5D311369D40412147757FF04D03A562A344F997372FF15DA0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.079{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000091387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.009{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000091386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.103{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.103{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.103{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.102{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.102{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000091381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.102{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000091380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.080{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000091379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.079{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000091378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.078{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000091377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.077{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000091376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.076{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000091375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.076{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000091374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.075{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000091373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.075{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000091372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.069{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000091371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.069{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000091370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.068{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000091369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.068{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000091368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.068{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000091367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.068{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000091366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.068{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000091365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.068{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000091364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.068{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000091363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.068{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000091362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.067{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000091361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.067{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000091360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.067{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000091359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.067{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.061{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000091357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.054{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.054{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.054{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000091354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.050{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.045{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.044{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000091351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.036{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000091350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.036{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000091349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.036{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.035{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000091347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.033{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.032{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000091345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.030{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.029{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.010{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000091342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.009{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000091341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.009{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.009{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.008{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.008{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.008{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:21.008{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.869{F172AD64-7970-63C6-7C02-00000000B002}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:22.039{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD9C3A48466F6054B85AEEB11506186,SHA256=878BE83E07D64C4DF4800FAB590CA91CA5F03AED4E19D5AF039E5675487D4524,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:22.721{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000091458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:22.721{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13649B057AEC3C485D266AF678C4A158,SHA256=793760F1B9D266582F591EE4BEA3B56B290A8B886B9903673D28B4A8E88F86E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.181{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49583-false10.0.1.12-8000- 11241100x800000000000000091456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:22.532{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:22.532{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB52A6A3C9B122160B1C00B3101299A,SHA256=3C0D3FE46A00DD27C5FB200DF39AE272B184FBE1FFC9767FE1644F89F28FC7E4,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:22.095{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000091453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:22.093{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000091452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:22.092{F172AD64-7971-63C6-7D02-00000000B002}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000091463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.758{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49584-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000091462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:20.758{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49584-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 11241100x800000000000000091461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:23.287{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:23.287{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B38D073022FC7278A3F736AA0C9D3F8,SHA256=020D276C935A8DDE029C84477BE93CD4BD9237D9F2618CD118BE1B0B0524F27F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:22.201{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50349-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:23.126{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E774BFEBC6829C3F8F14C44E6DD8BE,SHA256=5C04688C1C0064C04D6230E562EB74862FC7F06A79E46A84AA5384CA9BBA8CF5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.979{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000091569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.979{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000091568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.979{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000091567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000091566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000091565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000091564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000091563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000091562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000091561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.968{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000091557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000091556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000091554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000091553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000091552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000091550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000091549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000091548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000091547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000091545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000091544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000091543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000091542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000091541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000091540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000091538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000091537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000091536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000091535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000091532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000091530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.961{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000091523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.957{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30515BD92C1E0BA98E400855393065CF,SHA256=F1638920CFF8FC38131378870588A826BD8ED45B7AE4D5CF0500871504E3FF2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.890{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.623{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:33:24.623 23542300x800000000000000091519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.623{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.623{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:33:24.623 734700x800000000000000091517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.504{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000091516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.504{F172AD64-7974-63C6-7E02-00000000B002}63485944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.504{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000091514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.503{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000091513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 23542300x800000000000000069257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:24.217{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89531FEFE4A5188096B16008CE59E004,SHA256=43AA5F378A8DB0E38A22C3601EFCFF5FB667A01160F3AC9A1C3491EAC5BCB3CA,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.333{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000091511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.333{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000091510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.333{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000091509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.333{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000091508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.333{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000091507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.333{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000091506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000091505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000091504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000091503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000091499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000091498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000091497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000091496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000091493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000091492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000091491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000091490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000091489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000091488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000091487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000091485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000091484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000091483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000091482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000091481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000091479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000091478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.322{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000091477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000091474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000091473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.318{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.319{F172AD64-7974-63C6-7E02-00000000B002}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000091466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.127{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_964443c2-11c0-4a78-b5d1-2f735af9ae9e.json.tmp2023-01-17 10:33:24.127 11241100x800000000000000091465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.114{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\aborted-session-ping.tmp2023-01-17 10:33:24.111 11241100x800000000000000091464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:24.085{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\session-state.json2023-01-17 10:33:24.085 734700x800000000000000091629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.826{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000091628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.826{F172AD64-7975-63C6-8002-00000000B002}50966976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.826{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000091626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.826{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000091625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 734700x800000000000000091624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.670{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000091623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.670{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000091622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.670{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000091621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.670{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000091620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.670{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000091619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.670{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000091618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.670{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000091617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.670{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000091616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000091615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000091611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000091610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000091609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000091608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000091605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000091604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000091603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000091602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000091601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000091600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000091599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000091597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000091596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000091595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000091594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000091593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000091591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000091590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000091589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000091588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000091585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000091584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.659{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.524{F172AD64-7975-63C6-8002-00000000B002}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000091577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.521{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.521{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E5D00A859802FC224A31CBF49B20CD,SHA256=5E1F87390F0CC39015626CCF9139CB4D2D376A3A1ECDDBD072EC15E670B6BB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:25.316{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5E2B3913AA517AD491DE9B9B557E56,SHA256=298CF30F547FD834BCD56E0FE0BBE76A427E2B9991123A29051FCB5A7F973006,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.170{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000091574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.169{F172AD64-7974-63C6-7F02-00000000B002}61206676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.169{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000091572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.168{F172AD64-7974-63C6-7F02-00000000B002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000091571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:25.090{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 23542300x800000000000000069259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:26.495{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A858DFACB000F029E14E560994C92220,SHA256=6E8587E872907452F21490FEDEE9CE3B6B8BB643E58AAA8ED95DD49320CEF4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.953{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-051MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.951{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0512023-01-17 10:33:26.951 11241100x800000000000000091681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.950{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0522023-01-17 10:33:26.950 734700x800000000000000091680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.827{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000091679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.827{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000091678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.827{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000091677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 734700x800000000000000091676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.659{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000091675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.659{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000091674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.659{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000091673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.659{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000091672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.648{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000091671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.648{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000091670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.648{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000091669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.648{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000091668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.648{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000091667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.648{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000091666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.648{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000091665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000091664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000091663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000091662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000091661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000091660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000091659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000091658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000091657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000091656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000091655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000091654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000091653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000091652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000091651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000091650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000091649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000091648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000091647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000091646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000091645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000091644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000091643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000091642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000091641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000091640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000091638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000091637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000091636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000091631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.637{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000091630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.638{F172AD64-7976-63C6-8102-00000000B002}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:27.593{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDB3FDACE5E145E25C2F018E31F35BA,SHA256=63EC746A4948776A1448CA7E2A40A02FA08B8A0A2970B56FF59665BEC3E68B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.961{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.744{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000091703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.743{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=221347768EFCED670FFBCD7D2F846189,SHA256=7EE8915DC0346D8BBB151A5D5713802E6022AFA5968D7F2A7EE78774CA6F3058,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.664{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.664{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19C69B53BA5C01498CDC0F4E5A5E7EA,SHA256=B1DD74F3B23975096D5B1825A2932192488912E8E74F2D41E4087E2147D996B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.634{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.634{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.395{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.395{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD4F7DA87C00FA73ABC4AB4B8D04E17,SHA256=4A279B9F4A16CCC47AA22FA3A27893DAAEDF75D8174BA102C19EA594A4F824B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.320{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.320{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.320{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.318{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.317{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.317{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.317{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.172{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Accessibility.dll5.0.20.52001Accessibility-versionMicrosoft® .NETMicrosoft CorporationAccessibility-version.dllMD5=C46E0413EDBA49FCB022F2059B8328C7,SHA256=759CC60CD64286916CB932A89317EE8697232014A4373B8F10BD4F756CCCEA45,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.172{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=578E7CDCEEEC1A28163863C5AAFAE703,SHA256=EE6DED451C99D92FDB375232A5DF33C846C11425E4409DBA6063539A1C566403,IMPHASH=91DB2465A9EA36C5C01315C79E4EAD5AtrueMicrosoft WindowsValid 10341000x800000000000000091687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.150{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.150{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.083{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:27.083{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7A393D07DECA004250538A6B489592,SHA256=DAB696BCE3471DD23810A9BBAFDE9A3E3418A34730D54295777730427415E6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:28.693{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367C4605B4B52CE90AC4ED823DC96631,SHA256=0935E0BFDC3C473F3CC5222FFFCF47BB61B3E994514AD9721746752EA938A8B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:26.162{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49585-false10.0.1.12-8000- 11241100x800000000000000091729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.697{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.697{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5432297A8E00059A6BD0782219805462,SHA256=50023FB97A3EC82457C89CB850B316E501D83C91E661B32BEB7BB7B55DD9BFDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.242{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.239{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.234{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.232{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.231{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.225{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.222{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.220{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.218{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.213{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.203{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.199{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.193{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.184{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.176{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.148{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.139{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.133{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.120{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.110{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.051{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:28.048{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x800000000000000069262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:29.791{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F368520F4AF10EF4D37DCDAF8CD15240,SHA256=2F8E5324228D46EFCC9BB0FD660EFB6CBBA98AA4A1E2F401D29333CF7CA0EC61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:29.723{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:29.723{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B4C17993BCA8C56FE9AD02A8904CD3,SHA256=DD280086FA2A6606DFFBB50001642304A57CF9A28953F633C1BE9481BC4ADC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:30.902{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BDDDDB39E1C20FB4F7FD795B5FB167,SHA256=8E79331FD41E10493D525645E31CE00DB47081037D95C170A9E9C73AC5557CE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.763{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.763{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5492ED095E41F8B7929240E11ACB7B,SHA256=3C4E54E408069CB70F9D3DD0DE25B5EE29051633D318E0B4381A3732AA06B5E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:28.195{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50350-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000091738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.697{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.695{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.278{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.275{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.270{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.256{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.538{F172AD64-7634-63C6-B901-00000000B002}49002552C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000091780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.538{F172AD64-7634-63C6-B901-00000000B002}49002552C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000091779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.386{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.383{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.381{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.379{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.376{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.374{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.371{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.368{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.365{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.363{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.355{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.354{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.336{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.328{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.327{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.325{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.323{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.320{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.319{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.319{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.317{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.301{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.289{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.285{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.251{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.244{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.230{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.225{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.224{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.222{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.219{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.217{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.214{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.213{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.209{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000091744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.208{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x800000000000000091743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.137{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x800000000000000091742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.137{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.076{F172AD64-7634-63C6-B901-00000000B002}49002552C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 23542300x800000000000000069265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:32.000{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDF9A73918E7ED73D63CA2B6CEADB22,SHA256=A39B6D7ED5011B7EF4B60CE4E780B547741C9D43AFC977DEAF770B8C983F41E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:30.245{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49586-false10.0.1.12-8089- 10341000x800000000000000091790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.214{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.214{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.214{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.200{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.200{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.200{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.200{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.100{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:32.100{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA869604FEA4BB0436C13A8483F1B59F,SHA256=D46C9D11E99A499272326452F113A1C595E74C0C837D3022E28123674FA29CEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.449{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.439{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.411{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.400{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.397{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8A01-00000000B102}2560C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.362{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.353{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.328{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.320{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.317{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.313{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.302{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.262{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.258{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.254{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.242{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.235{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.233{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.218{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.210{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.181{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.171{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.155{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.145{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.133{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.128{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.111{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.099{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.088{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000069267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.087{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9838DA4583A652C35F6E58D0CFD953E7,SHA256=99D1A95E77B7BB2226035209AAC76B31E2274E3DC00E61FB74E2D2C06863461F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:33.086{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 354300x800000000000000091794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:31.253{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49587-false10.0.1.12-8000- 11241100x800000000000000091793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:33.132{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:33.132{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C6D29E40A3CFE3CD35CA84CC5B2523,SHA256=95664930A15774A16BD31E03A1BC3E74D94F513B75171F252FE4C18700EC68A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:34.319{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DE218AB56C5CAFFD264284A5383860,SHA256=03302168D1A0281F89335D1EDBF560C5C0BDD8330CB8C13A67A6A979A9EA8E2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:34.989{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:34.989{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:34.904{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:34.904{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:34.183{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:34.182{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D268667F56F061AF35C425B87FB48E02,SHA256=2A75E5BF7A6FE14725686B63380ECBDE0CB8AF4DB29691DEE4266A17035C9159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:35.379{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D0F06852D206A8950014F522D9A118,SHA256=1CE14BB69609967BC362B3F7AD3B110B81134CC455AA8AD46E0E875366A4CE3E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:35.235{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:35.235{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6729CCDBC157C0DEA710BEEE430DB6B,SHA256=9C68402B63C95B7A6128AA44A33B6E70C23C6BACF5ACE3A5CE4564FBD22DA63C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000069316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000069315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0031d207) 13241300x800000000000000069314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a56-0xc561beca) 13241300x800000000000000069313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5f-0x272626ca) 13241300x800000000000000069312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a67-0x88ea8eca) 13241300x800000000000000069311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000069310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0031d207) 13241300x800000000000000069309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a56-0xc561beca) 13241300x800000000000000069308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5f-0x272626ca) 13241300x800000000000000069307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:33:35.318{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a67-0x88ea8eca) 23542300x800000000000000069319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:36.450{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C009AD9EE17E67C1FC8A43130EC25E8F,SHA256=19E58E806A3C86CA4DEFA35AB18B1BDC8129315284A53CD518D25DC43DFE25B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:36.268{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:36.268{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C35EC89F097B6FF8F8BE65581D3B762,SHA256=9F36D99B75676163656EA15529321F9E65B741356F5B6D8B6BC992326BFFC425,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:34.090{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50351-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:37.774{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8677882FDE1346F9B29BDECDEA0078A5,SHA256=2DE27E32D2A0FC70190975F13D08D2F3086EF020FB843ED440524D058043AA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:37.540{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C011150EF3392D96A4D8030C74FC101D,SHA256=86B596F7E8781426D9ADA37A4EA8FF41AC8DE6E9336AFC614CC1724CDB88C791,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:37.289{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:37.288{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E68334F91D7BB7627A840CF6B3D890,SHA256=6DA4030140BDD4992245DD6FB4A9BE17CC09EEBEC0E6739FE01A8FB6A5FD18D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:38.633{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4C9542943933DE74ADBCC8EFEA39A4,SHA256=02BC4CE4CE6228AEC59BFA4BD10B859A7200D8AB6DF476FDE860F4836122492B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:36.362{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49588-false10.0.1.12-8000- 10341000x800000000000000091810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:38.774{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:38.774{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:38.344{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:38.344{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A219961D9F476072238708574669D9A,SHA256=C297C2C5FC2A3D43C4E3AD1F17C9E7D7575A34FF1CD86D30FB154403A6D62AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:39.718{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0486E1DFF080EAB4D11AD3ABA46177B1,SHA256=C55B31563E823E5662E835D027CC66C727CD3CCCA92AA2F45B1C43368EA3348C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.998{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.998{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.960{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.960{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.875{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.875{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.844{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.844{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.829{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.829{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.698{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.698{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.614{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.614{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.575{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.575{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.559{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.559{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.495{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.495{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA53730C7EF08E7C0ABED3DF99ADC76,SHA256=6DADB31EA5073C4CB8B7C1A05D37A1BAA4D81882342ED967E37536D8DB1A4BFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.459{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.459{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.275{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:39.275{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.830{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.830{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.716{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.716{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.700{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.700{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.593{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.593{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B11A4325FC78A56BB113B01EAD8FBBE,SHA256=D06B709A4DC8C3E154D26EC8AC5076EDF896FA12E524A97454A21B55F166D76D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.577{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.577{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.299{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.299{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.160{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:40.160{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:41.861{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:41.861{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:41.602{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:41.602{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7379FE82EC5D0318AD8A9DF0529C9A,SHA256=6FF5DE474A7D378CAA0212138AB7BE041A3777D4ACC2E40E79C08FF646FB103D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:39.183{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50352-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:41.027{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01902D850CE9CFC5710639DEA8CDCA4B,SHA256=D6522BB7C44FDE860BC2A6A3B53D12E8FA595CB91EED2C724B5D17653326F1ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:41.116{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:33:41.116 11241100x800000000000000091856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:42.642{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:42.642{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F24E158B1FADC92BF1E8F1EEBED34C,SHA256=8D88188276EDC7D40947C5BE1DFB2709FE2AD5D39E7A239E59F772672E120AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:42.118{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E182AB701713785F98955E908737D75E,SHA256=CB6D8FBF680AA2C189229AD0FD48909863AB76DFCE127C36591797A9DF3BB470,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:43.725{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:43.725{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD17A38FE9F06C3F84F3C245267DA12E,SHA256=00B5799D7F55D9F012FE342B432B5ED3067EF24FD76D502ECB5ADFA549B7907B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:43.773{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=46AD0D902AE2D67DA4F4B947284700ED,SHA256=220A11226F246339470286C37F99229310C62F76AA720D8EA83AD0EE9002CBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:43.224{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4116526266854DAEDD35A35C7646F5,SHA256=A50B35230738FA0EBD03F5FB9539A5AF144ED586CE11D3476B748A398F9E9A4E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:44.766{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:44.766{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE93E7BBC3D4355FAD851BB1E41F727,SHA256=6F79028FF1A224A2DDF67B1E1993C37A0F8A39F358918C031C2676F0A7C6A322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:44.336{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA9D9804CC6FE244B63152F2AC2782E,SHA256=E185A256AF292E93448AD136D198963369CF31034D35621FF0C233E49771491D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:45.830{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:45.830{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7536BB687C1A995DBE3183E781C85403,SHA256=D0B91A12A32056F8CEF5302496036801AF417293A8594D3011262BFABBA4F074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:45.432{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670904E6AE5D3A460441CD435CE4DDA3,SHA256=6327DC4C21912C282EBA46F2B005A561A59077BED38F6C0A7B3738F6B6DA8635,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:42.366{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49589-false10.0.1.12-8000- 11241100x800000000000000091865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:46.870{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:46.870{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB7D63ED0BD61767B4003DE5784115F,SHA256=2866FD75911A0B6C70D0ECDB98891209A502116A8253DAB7FFBCBBAB2ADE1A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:46.531{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F28AF625EF5AB9EB406DAC3171192B,SHA256=95BFE80BD12C4D964EFC1BF245FE00D15ED100970AA4E45D62F896B2737601F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:47.992{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:47.992{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:47.933{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:47.933{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027EF88A2032F5E8B90CA8C21E189F9A,SHA256=F97B93954482FFA9B2F1459CFCC81421CF0125A5AFE1627F559B3065D5CF1CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:47.723{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCFBE1BDE486FABA9AE38CECE7BB31A,SHA256=EA71FDAA49E86C4501683787D47080D22C1479D6B1AB934B87EF58FD477843A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:45.139{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50353-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:48.833{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98914EA794E38ED5254C2CD3EACED5C1,SHA256=403E2A828CD03E9DABC7EDBEEF7EA2E60CCF11E1AC2EBE534CD78C79487D2E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.215{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.211{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.205{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.203{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.202{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.195{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.192{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 11241100x800000000000000091885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.191{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:33:48.191 10341000x800000000000000091884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.190{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.186{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.181{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.167{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.164{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.157{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.148{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.139{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.109{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.098{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.088{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.078{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.071{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.028{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.025{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 11241100x800000000000000091894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:49.023{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:49.021{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F704D37AE7F2E9C2B5AC3EEABA21C34A,SHA256=D831EC97E672972312D5251F7877C472B9D7EEE4D83B0F6BAEC7214851C01654,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.651{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.650{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 734700x800000000000000091910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.387{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000091909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.386{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000091908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.384{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000091907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.382{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000091906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.380{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 10341000x800000000000000091905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.393{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.393{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.393{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.380{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000091901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.378{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.245{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.241{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.235{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.222{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 11241100x800000000000000091896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.176{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:50.176{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E25EDE144FC005110FB828CE98B4EBF,SHA256=6B4D5804A80CAF16CA711FCF29C08E3C021A9173655FBA9D9ED8618F3CFB24AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:50.148{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E72978C3379338F081A040D34B02DA,SHA256=ECE4AF94902DB1CD6EA8502408F6C25AA78E264444BD1923222B382820561E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.864{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4236F8D65617BEC7F1FB938B7DA8D6C2,SHA256=C386CB11C7A7DB1E7D63C3073A8731C1898AFB581E05859D5A0DBC568E67F7CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.625{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.625{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039978F472DCE0351E4E82FEE5DF07E5,SHA256=C51D5A919158E4B1E84BC26FE95C6CC4A110212887193CEFD23E52B3E896C10B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.311{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.309{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.307{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.305{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.302{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.300{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.297{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.295{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.292{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.290{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.284{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.282{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.266{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.259{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.258{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.257{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.255{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.253{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.252{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.252{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.251{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.237{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.229{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.226{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.198{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.192{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.179{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000069336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:51.248{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8180B20067B9567E6DBBA1F68416E9E1,SHA256=62C49A7B7E9E4F2F21C780ABEE38190DE0BFB2357178C7FBE48E3088135C448A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.175{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.173{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.170{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.168{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.165{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.161{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.160{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.157{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000091914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:51.157{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 354300x800000000000000091913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:48.147{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49590-false10.0.1.12-8000- 11241100x800000000000000091954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:52.759{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:52.759{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135DEBE1612FC6C2C02C0F671A238B68,SHA256=CF29C35B5616DF8F4D42AFDF5236A712B72A16D0AD2CFE7D0036E285C385E887,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:51.189{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50354-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:52.342{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BEAEF7A7E0ABDE1975A0159F9E18BD,SHA256=2D05DCCCBFA48CDDA289AB52E5C324FDC2D342749894E190A411AA1A9BC60636,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.844{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.844{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572453F72EA719B5562EE46C9237E963,SHA256=A9E64407E6DF2C0E23DFEB1A94CDC4C6DA90D26846D1F3A2CEF6AA796177B1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.627{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E1D9246DA44FA9BACF688394BCE1ED,SHA256=DE783D9526CB4E0588C065FED05CF0F62352BF756395D6E014ADDB938DBEF078,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.487{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.472{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.441{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.428{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000091960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.613{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.613{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.597{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.597{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.483{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-17 09:39:52.340 23542300x800000000000000091955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.483{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=936BB3C568CB5988E60296218903B4C1,SHA256=ED68964855079F338DCDF2B4576BF87193116528010AEC59C34363CBDA386EF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.392{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.365{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.355{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.353{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.343{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.337{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.330{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.329{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.320{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.318{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.315{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.273{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.256{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.242{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.209{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.198{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.186{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.171{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.152{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.143{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.134{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.123{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.110{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000069340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.102{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000069339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:53.096{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 11241100x800000000000000091964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:54.885{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:54.885{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70AF550F9049B1F52614949454150D0,SHA256=4E528893868D20ED5722B15CB4F9452127F12E302A5166783D73E772F3E53BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:54.529{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2D0DA80C871DBCE0273AB651FC4BA7,SHA256=1B2B0AC199301ADC46E14C39F874E590DB1E574916BBC2F34DB5582AD718B6E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:55.932{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:55.932{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71C01602869B67E410EEAC664B1635C,SHA256=33DFCC61D5D0AD3135DCCA04532680DE74FC1102291F56CDE38C97FB7EED5B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:55.621{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EA514364646D5E08576907FA80731E,SHA256=38D39F77DAAFAA1CD9215DB8E0AB0066C4ECD0EAFB1105A12C89470E6BE34CAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:55.584{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:55.584{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:56.976{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:56.975{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EEAF36806D7F898CA8AE16C6F979422,SHA256=91F32F295CFD2D3309561F10B7129EC66526D1F90045FA78EFB22A95396F81D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:53.236{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49591-false10.0.1.12-8000- 23542300x800000000000000069384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:56.812{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5FF206D6C73B2BEEEF9247661B541C,SHA256=2239BA6EDCE501EA79194437045E1E54E812ABB611B12D77E55DFA7213D91E8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:56.709{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:56.709{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:56.709{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:56.644{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:56.644{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:56.020{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:56.020{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:56.020{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620668C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:56.006{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000069385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:57.903{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2D7F042E30F8010A862B10C1B57AA0,SHA256=3B586BCCD1997D913DB6C7D5B4A41A809DF5953B0E362C90B0F08690877A017B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000091998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.759{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000091997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.759{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=810B8E3AF7AA0B20A91FEB91AE85AA36,SHA256=90A3C763C454AE4877BDE7BAD3096AEF86A0DC9FA3BF0191FE6336DD723D2189,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.543{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.543{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.543{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.512{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.512{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000091991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.427{F172AD64-795F-63C6-7802-00000000B002}7080ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\WPF\u2akdccy.nqxMD5=825AB5E8C725411B8B9C319BDCC8EA4E,SHA256=2E3A2C34CC9728CB3C1915E1C778FD0D63D46AC8E238C90726C96E4A31042357,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000091990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.412{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Pipes.dll5.0.20.51904System.IO.PipesMicrosoft® .NETMicrosoft CorporationSystem.IO.Pipes.dllMD5=E5A2A0BA11DF94459FE5D52149A6C192,SHA256=71F82A195F49043534114C95926F666D613EC4EFBFE7143A902E84CBC6BB3CC5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000091989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.427{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\WPF\u2akdccy.nqx2023-01-17 10:33:58.427 11241100x800000000000000091988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.427{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\WPF2023-01-17 10:33:58.427 734700x800000000000000091987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.412{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Console.dll5.0.20.51904System.ConsoleMicrosoft® .NETMicrosoft CorporationSystem.Console.dllMD5=83F00EEA290989E0776485A77B2A59C0,SHA256=C928E4A500F063DE9795B1E412D774FB1E5460031CC23CF37695A2A971616099,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000091986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.397{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Debugging ServicesMicrosoft® .NET FrameworkMicrosoft Corporationmscordbi.dllMD5=6A3777BF2C182F26D80A0FD655D115B9,SHA256=F70ECE738500DEB29A8DA3B0A65EDBD22230CD488BC3FD423EDCFAEA5C31BAE0,IMPHASH=0E6EE329C742FEFD6C4FC87550411942trueMicrosoft CorporationValid 10341000x800000000000000091985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.412{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000091984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.343{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x800000000000000091983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.328{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 10341000x800000000000000091982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.343{F172AD64-6CE8-63C6-1500-00000000B002}11204416C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.276{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.276{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.276{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000091978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.043{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.043{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D632337D1A685D88F9B86210C61006,SHA256=000D88B1DAC22DC8DD77F8E148682CDAB3E0F16E9E9E2444A72FDECC76FA4192,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:59.445{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000092001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:59.445{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4CEC014DDB698C2788002D067F83450,SHA256=47E439B107363CFC19BD8DF923D6A36DE14E4D82111C0001343884A64EAB07DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:59.129{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000091999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:59.129{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FFFE4BE4D5F1896C1B3CF78F2B44E7,SHA256=954C397972468F374850022201571A96B4833AAFAE0FB4A05FFF9005245B3878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:59.721{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:57.031{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50355-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:58.998{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CF5EE3A4EBCC774A6B1B3647D7291F,SHA256=67370DECB4D26A8AA8BAEEF725091AC4BE00D1E4202992C30D6B2555E75D88F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000092007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:00.316{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:00.316{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:00.316{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:00.147{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:00.147{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD2B30CCA77958014CD8E19D9707ED7,SHA256=B806910FB1565032A99E6F5D43FBFED2898519335937724DF37E9EC3284A6FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:00.396{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1386BACB9A36143DDC82C8CC4DD9F45D,SHA256=228B94D511DDE0EFDCCFE0D5647FF4114FA8F00FE0B9A27E48F15E585394D4BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:00.114{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6611C9DB6EA944D15BE8402B7690E02,SHA256=C9F200FA7B34AE1C8C012042DEF3E3CD08B0A02EFE3118244F10B7CF1BFF2A01,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:33:59.694{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50356-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000069391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:01.210{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C347E981230B9E12737568199CB734,SHA256=DB06FF0AA7E2388DCE2A8AEB458422F3E89A526BECF712DA0559716BA17FA7CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000092012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:01.517{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:01.517{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:01.233{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:01.233{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2A8730D71760BA0DAED48182FF6274,SHA256=B2CC7444664F2DCDAB50E66F3875B01D211144DFEE3BF860B416E6DC458BB582,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000092008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:33:58.283{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49592-false10.0.1.12-8000- 23542300x800000000000000069393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:02.303{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C88C73B05262EE2EF307FB9FD82A649,SHA256=DA0F01868B053790F32E4B3AC1A5BA146AC929FD56F4351C3AF33C51CB72B977,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:02.322{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:02.322{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7738662DC04D1E84D4AC870670EA41C,SHA256=4243B1F779301D025FF1729A1FE23D29F28205904E6F505BA041222C3106D2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:03.414{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70634E1BEC1819CB6AB629538AF35AC2,SHA256=A682E41A6923864D96FABB0BD952B4FBCC0DE283F64DD537A150EF36451C4899,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.369{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.369{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71D07A5AA87D2DB06474567633863BC,SHA256=7C5DBA95C431A5648B29ED0A2AF769E8CDC4A8961F170ADA6D646D1A62C03F15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000092036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-6CE8-63C6-0D00-00000000B002}8924488C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000092021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe 734700x800000000000000092020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.252{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\vcruntime140_cor3.dll14.28.29301.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=C4F45055B8704EB8C6DA870095CD5E59,SHA256=7C2CDDC1E4E0284FBBC55E3094927A29D247F648E5EE5BAE1E1E2A7183779AD8,IMPHASH=B06D4116DA69A513992D529F84731E6FtrueMicrosoft CorporationValid 11241100x800000000000000092019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.236{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\startup-roslyn.profile2023-01-17 10:33:20.596 23542300x800000000000000092018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.236{F172AD64-795F-63C6-7802-00000000B002}7080ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\startup-roslyn.profileMD5=1AE35AE0853889B10A6DC76DC7F18CB1,SHA256=902F196A959F72E2537E8CDC46A3EF81964EAB51EFDD4649C125E4F0648CD483,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.220{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Roaming\dnSpy\dnSpy.xml2023-01-17 10:34:03.220 11241100x800000000000000092016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.220{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Roaming\dnSpy2023-01-17 10:34:03.220 10341000x800000000000000092015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.206{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-795F-63C6-7802-00000000B002}7080C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000069396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:03.056{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50357-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:04.606{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53D673D3B07AA5941D5AE5735F2B83C,SHA256=4ACD29BB71A96318D734E857E6CC9CAFED7A15E4FABB6656A25A097595A47575,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:04.486{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:04.486{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D71958A810A4A9678B525DB4FB947D,SHA256=93B901FF623B015AEB5D19DE141DD70DF7C0A9ECB19ACA0AAEFDD56CFFBBED0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000092041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:04.253{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:04.238{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:04.238{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000069397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:05.686{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CDA0BF9FA0FEA093F56A5229A0E94F,SHA256=AC644BB5DA4EB1738BC5032CFC5CC424C3A7A7664339847C9584431E0F67891E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\oJLkOZcY.zip.part2023-01-17 10:34:05.896 11241100x800000000000000092058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\dnSpy-net-win64.zip2023-01-17 10:34:05.896 23542300x800000000000000092057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.896{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\oJLkOZcY.zip.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\oJLkOZcY.zip.part2023-01-17 10:34:05.896 11241100x800000000000000092055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\oJLkOZcY.zip2023-01-17 10:34:05.896 11241100x800000000000000092054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.559{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.559{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF978427AEF5C67AE30FC96591EFF035,SHA256=F3C3B520DDBD9252323522F764F27CB41C2F073C0B2493BA680DC57CB8098F08,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000092052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.301{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 734700x800000000000000092051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.300{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DD,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000092050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.273{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 13241300x800000000000000092049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:34:05.303{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{804543c5-0bd3-0326-558c-bed46a675495}\Root\InventoryApplicationFile\dnspy.exe|9c99790263b92c30\BinProductVersion0.0.0.0 13241300x800000000000000092048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:34:05.303{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{804543c5-0bd3-0326-558c-bed46a675495}\Root\InventoryApplicationFile\dnspy.exe|9c99790263b92c30\LinkDate10/19/2020 19:08:30 13241300x800000000000000092047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:34:05.303{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{804543c5-0bd3-0326-558c-bed46a675495}\Root\InventoryApplicationFile\dnspy.exe|9c99790263b92c30\Publisherdnspy 13241300x800000000000000092046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:34:05.303{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{804543c5-0bd3-0326-558c-bed46a675495}\Root\InventoryApplicationFile\dnspy.exe|9c99790263b92c30\LowerCaseLongPathc:\users\administrator\downloads\dnspy.exe 734700x800000000000000092045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:05.257{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=A0F1500393A5A2AE256507811E2C4EB8,SHA256=3E79304BAA358B36BECAF107178C50F25104C3BDB2A4448AFD967DEC050A724F,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 13241300x800000000000000092044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDBSetValue2023-01-17 10:34:05.257{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\dnSpy.exeBinary Data 23542300x800000000000000069398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:06.888{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D08CDF7622128B546667D4A4AC3623,SHA256=8B68D5884C283027AA1A9AE05279F563DF7ECD788892B0ACBE4854176BA06B13,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000092069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.976{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\EsdSip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying .esd Electronic Software Distribution filesMicrosoft® Windows® Operating SystemMicrosoft CorporationESDSIP.DLLMD5=CDF191FF99AF7729029F5E098FF7D819,SHA256=53A7D390A146F888AF5FE3F1EF3859ECC58D9E0EA3AE27FDDF281CE14691568D,IMPHASH=E47F6D532615E6E31018F6C5A9EA62C1trueMicrosoft WindowsValid 734700x800000000000000092068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.976{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348C,IMPHASH=C93A45A26AACEA8208AA325C281035F0trueMicrosoft WindowsValid 734700x800000000000000092067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.976{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x800000000000000092066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.976{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2,IMPHASH=F5D44AC1D5D2912F6B871FE7D5604CEDtrueMicrosoft WindowsValid 734700x800000000000000092065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.960{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52,IMPHASH=B062C097D0B3B0DCCA3ECC898B231E28trueMicrosoft WindowsValid 734700x800000000000000092064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.960{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41,IMPHASH=EE821B7DB352A29DF6636AEB059E4519trueMicrosoft WindowsValid 734700x800000000000000092063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msisip.dll5.0.14393.4704 (rs1_release.211004-1917)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=E05D3AEDC7E9A28DB9CE81C0C4D5DF91,SHA256=E57F53A4ADADE83595524BE8821C726882ABF0BA748471D3F4F502F4D8CDAECC,IMPHASH=9990E8AE89385588C988664086E258E7trueMicrosoft WindowsValid 11241100x800000000000000092062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.614{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:06.614{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB0ACDCACBF69950EC1AE3D50DA8E07,SHA256=5ECDC6DFBCAD38D071F09EC96B6688955DE888B2CA7C7B47B67A1142B95A3C7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000092060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:03.360{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49593-false10.0.1.12-8000- 11241100x800000000000000092075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:07.670{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:07.670{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D47620B53A15D909D42938B8E962A8,SHA256=3CBF51A0C592836A1C5B750E9667C9228F9D935D69968E688B5B327473A99486,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:07.670{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A6567374CB670F8C507FC828C073D4770CDCFFB72023-01-17 10:34:07.670 11241100x800000000000000092072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:07.412{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\downloads.json.tmp2023-01-17 10:34:07.412 354300x800000000000000092071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:04.733{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54840- 354300x800000000000000092070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:04.732{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51790- 11241100x800000000000000092102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.718{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.718{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD137EDEDC8B74A84DF6BB9758BFCB2,SHA256=6503E48657D975F77536879D7EA084544A628EB920ADD61098A8CB2ACAE7175C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:08.083{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE216518E283A26335EE700F40FA20A,SHA256=0CE56297B9A571DAD9D9F95022AD6F2D9E0F99B32F0AEE44596763566101F9D7,IMPHASH=00000000000000000000000000000000falsetrue 15241500x800000000000000092100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.331{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\dnSpy-net-win64.zip:Zone.Identifier2023-01-17 10:34:05.896MD5=7EA344C940604995DB07318A0D6C7D4E,SHA256=102C2E66F3A023680ED83183114BD59A73A9F87601D99B851E7BFE9DE4BBA35A,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://github.com/dnSpy/dnSpy/releases HostUrl=https://objects.githubusercontent.com/github-production-release-asset-2e65be/38380854/47937380-38d4-11eb-89ac-3ced85afabce?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230117%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230117T103405Z&X-Amz-Expires=300&X-Amz-Signature=7ec92801d36f60b766ce677df2dca3298827bd97d1a80cb33d457417d09597f9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=38380854&response-content-disposition=attachment%3B%20filename%3DdnSpy-net-win64.zip&response-content-type=application%2Foctet-stream 11241100x800000000000000092099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.331{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\dnSpy-net-win64.zip:Zone.Identifier2023-01-17 10:34:05.896 15241500x800000000000000092098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:07.670{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\dnSpy-net-win64.zip2023-01-17 10:34:05.896MD5=4800FD15179864EDEF2FB70788A042A2,SHA256=78D855AEF02D87195DDDE4F4A89F16F03708E66EC8282CF8EB9ECC89DD469F6C,IMPHASH=00000000000000000000000000000000- 10341000x800000000000000092097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.154{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.151{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.146{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.145{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.143{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.138{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.134{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.133{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.131{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.126{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.117{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.113{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.107{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.100{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.093{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.068{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.059{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.053{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.046{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.040{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.011{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:08.009{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 11241100x800000000000000092105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:09.782{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:09.782{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B021A2DC18AE2C8830D12293FE22370,SHA256=210AA0FAB5CE914840F721078ED44E418DA471DF8DE06E08B7D0004C751EF080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:09.282{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEC02A8F1228E5756FBA103D828F03E,SHA256=02127A58315B24D462030C119E8FF6C64F06D169976D4FC0A948CC2DC41888E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000092103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:09.181{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\downloads.jsonMD5=D8E96F3507C07E159592D4B0865C013D,SHA256=723F2F8AD003F2A9D909A3EDA198E3DC0B46C119711E8C032EE2AEC2AFF3A8AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.854{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.854{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2007D1FCA251AFD0EB5A14DBCBBE38A,SHA256=60ED5F3A4882053B7EE36902B756E1FF9AA3CBA63FAF67D739399FBE3A24C374,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:09.082{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50358-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:10.369{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BD3C17A0654E4ADDF9471F53F7D730,SHA256=3CFB304EF737E13DB3754EB53E3E95347DD4D04465B5BD71B6E805F23ACD6973,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.621{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\120C95169F680CC08B897F251E98A043D063EBDB2023-01-17 10:34:10.621 10341000x800000000000000092111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.560{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.559{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.195{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.191{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.185{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:10.166{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000069403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:11.461{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673CD8DC4BEAEBFC88BA134EEC5CC202,SHA256=15CC44C066349850B8E0F0C6A0CF282D869FB9AEE37C010227A2A77A870FE688,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000092150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.254{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.252{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.250{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.246{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.242{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.239{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.236{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 354300x800000000000000092143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:09.202{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49594-false10.0.1.12-8000- 10341000x800000000000000092142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.231{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.226{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.218{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.210{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.191{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.183{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.182{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.181{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.179{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.176{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.175{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.175{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.173{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.157{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.143{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.141{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.109{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.102{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.088{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.084{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.082{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.080{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.076{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.074{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.071{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.071{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.068{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000092115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:11.067{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000069418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.671{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7953809E703CC117666A482E71E28F62,SHA256=943FEDDA8969A7BC9B6C78B873400ECD7A30395F86848578B5411863F96E9F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.656{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D319EEF245402EC2EBD371EE670111DF,SHA256=C4BB6A6D06F247ED2B7E8147828B05A34D6A1BF8D2015794D75965EC5C89FA34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:12.224{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:12.224{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458F09E620F43054A081389004392EF8,SHA256=D189E8BEC804DD229D8B9D83F55A2C86AE6CE16BCF0F88EFFA5482E0C8F96F2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79A4-63C6-5702-00000000B102}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-79A4-63C6-5702-00000000B102}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.347{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79A4-63C6-5702-00000000B102}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:12.348{F6EEFE7F-79A4-63C6-5702-00000000B102}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.835{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD942F65AF7209D04EA4A21189B8411A,SHA256=16556FA6E5830184AAEE0549FAF3F168FEC1DE45FCF15808EB16DA1B3A23F94C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:13.285{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:13.285{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86569DF2E40DAFED1318A9BB6BCC4F7E,SHA256=812DB21269AF5DAB104852FAEE5468C513BA8F5C0B8FAA06F5850DDD1296A2CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.419{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.408{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 23542300x800000000000000069455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.403{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=416CA40363726A534A838927765B8837,SHA256=B62964014C72E573408AA8A358B6BB2FA9A7525B18AF207E2B827A53AF8555A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.383{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.370{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.336{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.328{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.313{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.305{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.292{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.275{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.271{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.261{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.253{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.250{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.237{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.224{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.191{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.179{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.164{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.157{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.145{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.140{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.133{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.126{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.109{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:13.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 23542300x800000000000000069486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB19980B440BEAA5FA79017737323FB,SHA256=F1C51279AA37464B0AC387C340A0D2C068F241E459D54A47256283766DED7100,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79A6-63C6-5902-00000000B102}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-79A6-63C6-5902-00000000B102}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.906{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79A6-63C6-5902-00000000B102}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.907{F6EEFE7F-79A6-63C6-5902-00000000B102}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000092156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:14.372{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:14.372{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF8389EA2407D7B49FAE173D407120A,SHA256=C9F95DBBB83E07C1416BFAD4D3F8AF058DAF454934C33228AB38257F18697F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79A6-63C6-5802-00000000B102}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-79A6-63C6-5802-00000000B102}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000069461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=465974C5EF2AD365357A94BDE809B24B,SHA256=1CA43DAEC0A9BC3B57D3F3BFE4F547C6A04ADC6A865C01CB6B3E380BBB0A4564,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.226{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79A6-63C6-5802-00000000B102}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.227{F6EEFE7F-79A6-63C6-5802-00000000B102}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000092158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:15.487{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:15.487{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DE82BAA7D23A6C2CB5BB465CABD8B2,SHA256=0AD2D65365A30B606B80A5067C34663EA9CED611AF9C4136580C9C8B1987C7E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:14.089{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50359-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000069487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:15.109{F6EEFE7F-79A6-63C6-5902-00000000B102}59843844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.610{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.609{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABD364E5E5DE671A594B843B9B37210,SHA256=444DD2FE38964511A3E02E87048DA37624CB54347689726CD285923A851E54C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.417{F6EEFE7F-79A8-63C6-5A02-00000000B102}35645676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79A8-63C6-5A02-00000000B102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-79A8-63C6-5A02-00000000B102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.230{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79A8-63C6-5A02-00000000B102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.231{F6EEFE7F-79A8-63C6-5A02-00000000B102}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:16.011{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1E85DF89109B19AAE08D9317CBD46F,SHA256=F607956837CC38CAA1AC5A33792E00CB6F9DE60668BA564F521C6C17A5327B77,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000092167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.227{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 734700x800000000000000092166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.172{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20,IMPHASH=D1267CC8F49B54A66A0034D2C4452E93trueMicrosoft WindowsValid 734700x800000000000000092165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.172{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6A,IMPHASH=52DBB027F849F4DB11CB3C2B56C0E9FBtrueMicrosoft WindowsValid 10341000x800000000000000092164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.156{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.156{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.156{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.156{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.156{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:16.156{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:17.708{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:17.707{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A33FED6C8DE2E17AA9A140343A625A,SHA256=1860836A62D6B9B33DDE3C1F6D2BAF8FCD72A09DC129FFBBF833B2BA9FD00F8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.931{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.931{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.930{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.930{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.930{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.930{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.827{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.828{F6EEFE7F-79A9-63C6-5C02-00000000B102}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000069518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.342{F6EEFE7F-79A9-63C6-5B02-00000000B102}45604844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79A9-63C6-5B02-00000000B102}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-79A9-63C6-5B02-00000000B102}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.152{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79A9-63C6-5B02-00000000B102}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.153{F6EEFE7F-79A9-63C6-5B02-00000000B102}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:17.089{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC7BF8882EB94F6C51B60E90CEB40C4,SHA256=608AF81B9606CAEF5F353F5666919EFBD00250BFD69CDE221F31B5EE5836B253,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000092170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:14.208{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49595-false10.0.1.12-8000- 23542300x800000000000000069540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:18.963{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60940E08F13BD691933FA56FB3A83246,SHA256=7A7EA7800CA9ABAAC12222844AE0AB28DB1372066375FED2BD18ED3B11F0EB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:18.455{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E342CF6ED13F45C492F33CE3F2E1FA4D,SHA256=6FD17A3150A07A68AA5560CF3406B3F4E87F196B7552706B4CABB1E3EDDD954A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000092206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.889{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000092205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.889{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000092204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.889{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000092203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.888{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000092202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.888{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000092201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.888{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000092200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.815{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000092199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.811{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 11241100x800000000000000092198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.831{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.831{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968729B9139054DE89831CF9B018B25C,SHA256=BC969DB58EB28FDBCEC5F3B4FF47E8CBA95C98B3B39C7982FD375F21BEE5E125,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000092196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.809{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000092195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000092194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000092193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000092192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000092191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000092190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000092189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000092188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000092187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000092186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000092185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x800000000000000092184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000092183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000092182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000092181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exeMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7false-Unavailable 10341000x800000000000000092180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000092175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.777{F172AD64-7634-63C6-B901-00000000B002}49006296C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x800000000000000092174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.778{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\dnSpy-net-win64\" -spe -an -ai#7zMap20625:108:7zEvent22893C:\Windows\system32\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 11241100x800000000000000092173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.206{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:34:18.206 10341000x800000000000000069538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:18.081{F6EEFE7F-79A9-63C6-5C02-00000000B102}57684336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000092496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.965{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 23542300x800000000000000069554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.586{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885BA53E41AB48D25991F5D443339F20,SHA256=07E498BD0E3F74047465C6DF11473217E3E6D8C16D7A93F498A5A9221F3A862E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79AB-63C6-5D02-00000000B102}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-79AB-63C6-5D02-00000000B102}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79AB-63C6-5D02-00000000B102}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.478{F6EEFE7F-79AB-63C6-5D02-00000000B102}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000092495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.965{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000092494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.957{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000092493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.961{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000092492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.960{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000092491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.959{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000092490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.958{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000092489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.958{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000092488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.950{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000092487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.950{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000092486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.950{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000092485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.949{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000092484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.949{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000092483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.948{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000092482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.948{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000092481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.948{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000092480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.948{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000092479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.948{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000092478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.948{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000092477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000092476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000092475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000092474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000092473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000092472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000092471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000092470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000092469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.947{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000092468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.946{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000092467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.946{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000092466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.946{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000092465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.946{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000092464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.946{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000092463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.946{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000092462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.946{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000092461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.946{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000092460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.945{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000092459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.944{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000092458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.944{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000092457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.943{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000092456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.943{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000092455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.943{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.943{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.942{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.942{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.939{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000092450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.939{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000092449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.941{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000092448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.939{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.939{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8034A3CC1ED2565D7B490FD951C7EDA2,SHA256=08BC48E4603062AAC231F2B911AA7E68F750EDE17CB90E9A4C91840D95D19695,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.931{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationCore.dll2023-01-17 10:34:19.931 11241100x800000000000000092445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.929{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PenImc_cor3.dll2023-01-17 10:34:19.927 11241100x800000000000000092444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.923{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Ookii.Dialogs.Wpf.dll2023-01-17 10:34:19.922 11241100x800000000000000092443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.921{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\netstandard.dll2023-01-17 10:34:19.921 11241100x800000000000000092442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.920{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\mscorrc.dll2023-01-17 10:34:19.919 11241100x800000000000000092441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.918{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\mscorlib.dll2023-01-17 10:34:19.918 11241100x800000000000000092440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.907{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\mscordbi.dll2023-01-17 10:34:19.907 11241100x800000000000000092439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.896{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\mscordaccore_amd64_amd64_5.0.20.51904.dll2023-01-17 10:34:19.896 11241100x800000000000000092438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.884{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\mscordaccore.dll2023-01-17 10:34:19.884 11241100x800000000000000092437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.883{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Mono.Debugger.Soft.pdb2023-01-17 10:34:19.883 11241100x800000000000000092436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.881{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Mono.Debugger.Soft.dll2023-01-17 10:34:19.881 11241100x800000000000000092435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.880{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.Win32.SystemEvents.dll2023-01-17 10:34:19.879 11241100x800000000000000092434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.877{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.Win32.Registry.dll2023-01-17 10:34:19.877 11241100x800000000000000092433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.876{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.Win32.Registry.AccessControl.dll2023-01-17 10:34:19.876 11241100x800000000000000092432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.876{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.Win32.Primitives.dll2023-01-17 10:34:19.875 11241100x800000000000000092431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.875{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.Validation.dll2023-01-17 10:34:19.875 11241100x800000000000000092430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.873{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.Text.UI.Wpf.dll2023-01-17 10:34:19.873 11241100x800000000000000092429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.872{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000092428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.872{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECCB5F835AC83A53F792197BB25EECD5,SHA256=06B5D9DEC228B17894500316FBCE57C2B33D906B6DBB9BEDDD88BFFB7C8DF020,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.871{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.Text.UI.dll2023-01-17 10:34:19.871 11241100x800000000000000092426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.870{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.Text.Logic.dll2023-01-17 10:34:19.870 11241100x800000000000000092425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.868{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.Text.Data.dll2023-01-17 10:34:19.868 11241100x800000000000000092424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.866{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.Language.Intellisense.dll2023-01-17 10:34:19.866 11241100x800000000000000092423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.865{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.CoreUtility.dll2023-01-17 10:34:19.865 11241100x800000000000000092422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.864{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.Composition.NetFxAttributes.dll2023-01-17 10:34:19.864 11241100x800000000000000092421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.861{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualStudio.Composition.dll2023-01-17 10:34:19.860 11241100x800000000000000092420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.858{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualBasic.Forms.dll2023-01-17 10:34:19.857 11241100x800000000000000092419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.857{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualBasic.dll2023-01-17 10:34:19.857 11241100x800000000000000092418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.845{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.VisualBasic.Core.dll2023-01-17 10:34:19.844 11241100x800000000000000092417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.832{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.DiaSymReader.Native.x86.dll2023-01-17 10:34:19.832 11241100x800000000000000092416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.817{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.DiaSymReader.Native.amd64.dll2023-01-17 10:34:19.817 11241100x800000000000000092415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.809{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.Diagnostics.Runtime.dll2023-01-17 10:34:19.809 11241100x800000000000000092414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.792{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CSharp.dll2023-01-17 10:34:19.792 11241100x800000000000000092413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.761{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.Workspaces.dll2023-01-17 10:34:19.761 11241100x800000000000000092412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.761{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.VisualBasic.Workspaces.dll2023-01-17 10:34:19.761 11241100x800000000000000092411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.745{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.VisualBasic.Features.dll2023-01-17 10:34:19.745 11241100x800000000000000092410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.745{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.pdb2023-01-17 10:34:19.745 11241100x800000000000000092409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.745{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.dll2023-01-17 10:34:19.745 11241100x800000000000000092408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.692{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.VisualBasic.dll2023-01-17 10:34:19.692 11241100x800000000000000092407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.692{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.Scripting.dll2023-01-17 10:34:19.692 11241100x800000000000000092406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.677{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.Features.dll2023-01-17 10:34:19.677 11241100x800000000000000092405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.677{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.pdb2023-01-17 10:34:19.677 11241100x800000000000000092404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.677{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.dll2023-01-17 10:34:19.677 11241100x800000000000000092403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.dll2023-01-17 10:34:19.646 11241100x800000000000000092402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.CSharp.Workspaces.dll2023-01-17 10:34:19.646 11241100x800000000000000092401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.CSharp.Scripting.dll2023-01-17 10:34:19.646 11241100x800000000000000092400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.632{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.CSharp.Features.dll2023-01-17 10:34:19.632 11241100x800000000000000092399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.632{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.pdb2023-01-17 10:34:19.632 11241100x800000000000000092398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.632{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.dll2023-01-17 10:34:19.632 11241100x800000000000000092397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.CSharp.dll2023-01-17 10:34:19.570 11241100x800000000000000092396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.TreeView.pdb2023-01-17 10:34:19.570 11241100x800000000000000092395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.TreeView.dll2023-01-17 10:34:19.570 11241100x800000000000000092394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.VB.pdb2023-01-17 10:34:19.570 11241100x800000000000000092393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.VB.dll2023-01-17 10:34:19.570 11241100x800000000000000092392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.pdb2023-01-17 10:34:19.570 11241100x800000000000000092391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.dll2023-01-17 10:34:19.570 11241100x800000000000000092390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.570{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D285D3B6682F55D687B62B6A7125FA2,SHA256=7670DA6D3BECE026F9CF0650D2736AB481FA36E40DFB882E5B6490E27B48F810,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.568{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.CSharp.pdb2023-01-17 10:34:19.568 11241100x800000000000000092387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.561{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.CSharp.dll2023-01-17 10:34:19.561 11241100x800000000000000092386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.560{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.Decompiler.pdb2023-01-17 10:34:19.560 11241100x800000000000000092385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.554{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.Decompiler.dll2023-01-17 10:34:19.554 11241100x800000000000000092384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.543{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Iced.dll2023-01-17 10:34:19.543 11241100x800000000000000092383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.539{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Humanizer.dll2023-01-17 10:34:19.539 11241100x800000000000000092382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hostpolicy.dll2023-01-17 10:34:19.535 11241100x800000000000000092381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.528{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hostfxr.dll2023-01-17 10:34:19.528 11241100x800000000000000092380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.527{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Scripting.Roslyn.x.pdb2023-01-17 10:34:19.527 11241100x800000000000000092379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.526{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Scripting.Roslyn.x.dll2023-01-17 10:34:19.526 11241100x800000000000000092378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.525{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Scripting.Roslyn.x.deps.json2023-01-17 10:34:19.525 11241100x800000000000000092377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.524{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.runtimeconfig.json2023-01-17 10:34:19.524 11241100x800000000000000092376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.523{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.xml2023-01-17 10:34:19.523 11241100x800000000000000092375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.523{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.VisualBasic.Internal.pdb2023-01-17 10:34:19.523 11241100x800000000000000092374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.522{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.VisualBasic.Internal.dll2023-01-17 10:34:19.522 11241100x800000000000000092373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.522{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.pdb2023-01-17 10:34:19.522 11241100x800000000000000092372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.520{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.dll2023-01-17 10:34:19.520 11241100x800000000000000092371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.518{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.pdb2023-01-17 10:34:19.518 11241100x800000000000000092370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.518{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.Internal.pdb2023-01-17 10:34:19.518 11241100x800000000000000092369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.516{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.Internal.dll2023-01-17 10:34:19.516 11241100x800000000000000092368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.516{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.EditorFeatures.pdb2023-01-17 10:34:19.515 11241100x800000000000000092367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.515{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.EditorFeatures.dll2023-01-17 10:34:19.515 11241100x800000000000000092366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.511{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.dll2023-01-17 10:34:19.510 11241100x800000000000000092365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.510{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.CSharp.Internal.pdb2023-01-17 10:34:19.509 11241100x800000000000000092364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.508{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.CSharp.Internal.dll2023-01-17 10:34:19.508 11241100x800000000000000092363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.508{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.CSharp.EditorFeatures.pdb2023-01-17 10:34:19.507 11241100x800000000000000092362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.492{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.CSharp.EditorFeatures.dll2023-01-17 10:34:19.492 11241100x800000000000000092361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.492{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.pdb2023-01-17 10:34:19.492 11241100x800000000000000092360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.492{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Images.pdb2023-01-17 10:34:19.492 11241100x800000000000000092359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.476{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Images.dll2023-01-17 10:34:19.476 11241100x800000000000000092358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.460{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.dll2023-01-17 10:34:19.460 11241100x800000000000000092357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.460{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.deps.json2023-01-17 10:34:19.445 11241100x800000000000000092356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.pdb2023-01-17 10:34:19.445 11241100x800000000000000092355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.x.pdb2023-01-17 10:34:19.445 11241100x800000000000000092354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.x.dll2023-01-17 10:34:19.445 11241100x800000000000000092353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.x.deps.json2023-01-17 10:34:19.445 11241100x800000000000000092352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.Core.pdb2023-01-17 10:34:19.445 11241100x800000000000000092351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.Core.dll2023-01-17 10:34:19.445 11241100x800000000000000092350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.dll2023-01-17 10:34:19.445 11241100x800000000000000092349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.x.pdb2023-01-17 10:34:19.445 11241100x800000000000000092348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.431{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.x.dll2023-01-17 10:34:19.431 11241100x800000000000000092347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.431{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.x.deps.json2023-01-17 10:34:19.431 11241100x800000000000000092346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.431{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.x.pdb2023-01-17 10:34:19.431 11241100x800000000000000092345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.431{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.x.dll2023-01-17 10:34:19.431 11241100x800000000000000092344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.431{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.x.deps.json2023-01-17 10:34:19.431 11241100x800000000000000092343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Mono.x.pdb2023-01-17 10:34:19.415 11241100x800000000000000092342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Mono.x.dll2023-01-17 10:34:19.415 11241100x800000000000000092341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Mono.x.deps.json2023-01-17 10:34:19.415 11241100x800000000000000092340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Metadata.xml2023-01-17 10:34:19.415 11241100x800000000000000092339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Metadata.pdb2023-01-17 10:34:19.415 11241100x800000000000000092338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Metadata.dll2023-01-17 10:34:19.415 11241100x800000000000000092337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Interpreter.xml2023-01-17 10:34:19.415 11241100x800000000000000092336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Interpreter.pdb2023-01-17 10:34:19.415 11241100x800000000000000092335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Interpreter.dll2023-01-17 10:34:19.415 11241100x800000000000000092334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.412{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.CorDebug.x.pdb2023-01-17 10:34:19.412 11241100x800000000000000092333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.406{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.CorDebug.x.dll2023-01-17 10:34:19.406 11241100x800000000000000092332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.405{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.CorDebug.x.deps.json2023-01-17 10:34:19.405 11241100x800000000000000092331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.404{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Logic.xml2023-01-17 10:34:19.404 11241100x800000000000000092330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Logic.pdb2023-01-17 10:34:19.388 11241100x800000000000000092329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Logic.dll2023-01-17 10:34:19.388 11241100x800000000000000092328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.DnSpy.xml2023-01-17 10:34:19.388 11241100x800000000000000092327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.DnSpy.pdb2023-01-17 10:34:19.388 11241100x800000000000000092326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.374{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.DnSpy.dll2023-01-17 10:34:19.374 11241100x800000000000000092325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.374{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.xml2023-01-17 10:34:19.374 11241100x800000000000000092324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.374{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.pdb2023-01-17 10:34:19.374 11241100x800000000000000092323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.374{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.xml2023-01-17 10:34:19.374 11241100x800000000000000092322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.374{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.pdb2023-01-17 10:34:19.374 11241100x800000000000000092321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.374{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.Mono.xml2023-01-17 10:34:19.374 11241100x800000000000000092320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.374{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.Mono.pdb2023-01-17 10:34:19.374 11241100x800000000000000092319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.374{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.Mono.dll2023-01-17 10:34:19.374 11241100x800000000000000092318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.dll2023-01-17 10:34:19.359 11241100x800000000000000092317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.xml2023-01-17 10:34:19.359 11241100x800000000000000092316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.pdb2023-01-17 10:34:19.359 11241100x800000000000000092315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.dll2023-01-17 10:34:19.359 11241100x800000000000000092314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.dll2023-01-17 10:34:19.359 11241100x800000000000000092313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.runtimeconfig.json2023-01-17 10:34:19.359 11241100x800000000000000092312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.pdb2023-01-17 10:34:19.359 11241100x800000000000000092311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.dll2023-01-17 10:34:19.359 11241100x800000000000000092310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.deps.json2023-01-17 10:34:19.359 11241100x800000000000000092309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.BamlDecompiler.x.pdb2023-01-17 10:34:19.359 11241100x800000000000000092308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.BamlDecompiler.x.dll2023-01-17 10:34:19.359 11241100x800000000000000092307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.BamlDecompiler.x.deps.json2023-01-17 10:34:19.359 11241100x800000000000000092306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.355{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.AsmEditor.x.pdb2023-01-17 10:34:19.355 11241100x800000000000000092305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.343{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.AsmEditor.x.dll2023-01-17 10:34:19.343 11241100x800000000000000092304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.342{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.AsmEditor.x.deps.json2023-01-17 10:34:19.342 11241100x800000000000000092303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.341{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Analyzer.x.pdb2023-01-17 10:34:19.339 11241100x800000000000000092302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.337{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Analyzer.x.dll2023-01-17 10:34:19.337 11241100x800000000000000092301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.337{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Analyzer.x.deps.json2023-01-17 10:34:19.337 11241100x800000000000000092300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.327{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnlib.dll2023-01-17 10:34:19.327 11241100x800000000000000092299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.322{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\DirectWriteForwarder.dll2023-01-17 10:34:19.322 11241100x800000000000000092298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.320{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dbgshim.dll2023-01-17 10:34:19.320 11241100x800000000000000092297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.280{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.279{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6F75C68A48F4A4D3609A64EF177C27,SHA256=EE13F3287C16D625DF193F24A769170A9467013663F222E290611D1773766595,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.275{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\D3DCompiler_47_cor3.dll2023-01-17 10:34:19.275 11241100x800000000000000092294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.275{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\CSharpInteractive.rsp2023-01-17 10:34:19.275 11241100x800000000000000092293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.273{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\createdump.exe2023-01-17 10:34:19.273 734700x800000000000000092292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000092291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 11241100x800000000000000092290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.209{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\coreclr.dll2023-01-17 10:34:19.209 734700x800000000000000092289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.060{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000092288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 11241100x800000000000000092287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\clrjit.dll2023-01-17 10:34:19.177 734700x800000000000000092286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 11241100x800000000000000092285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\clretwrc.dll2023-01-17 10:34:19.177 10341000x800000000000000092284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-7634-63C6-B901-00000000B002}49005544C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-7634-63C6-B901-00000000B002}49005544C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-7634-63C6-B901-00000000B002}49005544C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000092278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 10341000x800000000000000092277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-7634-63C6-B901-00000000B002}49005544C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\clrcompression.dll2023-01-17 10:34:19.177 11241100x800000000000000092275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.177{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-utility-l1-1-0.dll2023-01-17 10:34:19.177 11241100x800000000000000092274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-time-l1-1-0.dll2023-01-17 10:34:19.162 10341000x800000000000000092273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-string-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-stdio-l1-1-0.dll2023-01-17 10:34:19.162 10341000x800000000000000092270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-runtime-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-process-l1-1-0.dll2023-01-17 10:34:19.162 10341000x800000000000000092267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-private-l1-1-0.dll2023-01-17 10:34:19.162 10341000x800000000000000092265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000092262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-math-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-locale-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-heap-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-environment-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-convert-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-crt-conio-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-util-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-timezone-l1-1-0.dll2023-01-17 10:34:19.162 11241100x800000000000000092252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.162{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-sysinfo-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-synch-l1-2-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-synch-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-string-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-rtlsupport-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-profile-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-processthreads-l1-1-1.dll2023-01-17 10:34:19.148 11241100x800000000000000092245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-processthreads-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-processenvironment-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-namedpipe-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-memory-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-localization-l1-2-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-libraryloader-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-interlocked-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-heap-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-handle-l1-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.148{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-file-l2-1-0.dll2023-01-17 10:34:19.148 11241100x800000000000000092235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-file-l1-2-0.dll2023-01-17 10:34:19.132 11241100x800000000000000092234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-file-l1-1-0.dll2023-01-17 10:34:19.132 11241100x800000000000000092233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-errorhandling-l1-1-0.dll2023-01-17 10:34:19.132 11241100x800000000000000092232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-debug-l1-1-0.dll2023-01-17 10:34:19.132 11241100x800000000000000092231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-datetime-l1-1-0.dll2023-01-17 10:34:19.132 11241100x800000000000000092230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-console-l1-2-0.dll2023-01-17 10:34:19.132 11241100x800000000000000092229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\api-ms-win-core-console-l1-1-0.dll2023-01-17 10:34:19.132 11241100x800000000000000092228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Accessibility.dll2023-01-17 10:34:19.132 11241100x800000000000000092227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin2023-01-17 10:34:19.132 11241100x800000000000000092226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win642023-01-17 10:34:19.132 10341000x800000000000000092225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000092224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.132{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x800000000000000092223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.993{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000092222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:18.977{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000092221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.092{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000092220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.092{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000092219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.092{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000092218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.076{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7z.dll22.017z Plugin7-ZipIgor Pavlov7z.dllMD5=BBF51226A8670475F283A2D57460D46C,SHA256=73578F14D50F747EFA82527A503F1AD542F9DB170E2901EDDB54D6BCE93FC00E,IMPHASH=4A683D6F78CDDF7C7CDA44D5A4669025false-Unavailable 10341000x800000000000000092217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.060{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.060{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.060{F172AD64-6CE8-63C6-1000-00000000B002}3566744C:\Windows\system32\svchost.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.060{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000092213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000092212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000092211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000092210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000092209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000092208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000092207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.045{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 23542300x800000000000000069555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:20.555{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F42695C84830311871CF2547BCDFE96,SHA256=0EE134CF07A775246472E768B6D241FE3914AA85F63EB284A78F787852A01C3D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.956{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Forms.dll2023-01-17 10:34:20.956 11241100x800000000000000092743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.955{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Forms.Design.Editors.dll2023-01-17 10:34:20.955 11241100x800000000000000092742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.923{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Forms.Design.dll2023-01-17 10:34:20.923 11241100x800000000000000092741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.922{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Extensions.dll2023-01-17 10:34:20.921 11241100x800000000000000092740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.921{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.dll2023-01-17 10:34:20.921 11241100x800000000000000092739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.909{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Controls.Ribbon.dll2023-01-17 10:34:20.909 11241100x800000000000000092738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.908{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Web.HttpUtility.dll2023-01-17 10:34:20.908 11241100x800000000000000092737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.907{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Web.dll2023-01-17 10:34:20.907 11241100x800000000000000092736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.906{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ValueTuple.dll2023-01-17 10:34:20.906 11241100x800000000000000092735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.903{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Transactions.Local.dll2023-01-17 10:34:20.903 11241100x800000000000000092734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.902{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Transactions.dll2023-01-17 10:34:20.902 11241100x800000000000000092733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.901{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Timer.dll2023-01-17 10:34:20.901 11241100x800000000000000092732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.901{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.ThreadPool.dll2023-01-17 10:34:20.900 11241100x800000000000000092731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.900{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Thread.dll2023-01-17 10:34:20.900 11241100x800000000000000092730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.898{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Tasks.Parallel.dll2023-01-17 10:34:20.898 11241100x800000000000000092729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.898{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Tasks.Extensions.dll2023-01-17 10:34:20.897 11241100x800000000000000092728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.897{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Tasks.dll2023-01-17 10:34:20.897 11241100x800000000000000092727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.891{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Tasks.Dataflow.dll2023-01-17 10:34:20.891 11241100x800000000000000092726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.891{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Overlapped.dll2023-01-17 10:34:20.891 11241100x800000000000000092725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.890{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.dll2023-01-17 10:34:20.890 11241100x800000000000000092724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.887{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Channels.dll2023-01-17 10:34:20.887 11241100x800000000000000092723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.886{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.AccessControl.dll2023-01-17 10:34:20.886 11241100x800000000000000092722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.880{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.RegularExpressions.dll2023-01-17 10:34:20.879 11241100x800000000000000092721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.871{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.Json.dll2023-01-17 10:34:20.871 11241100x800000000000000092720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.870{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.Encodings.Web.dll2023-01-17 10:34:20.870 11241100x800000000000000092719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.869{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.Encoding.Extensions.dll2023-01-17 10:34:20.869 11241100x800000000000000092718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.868{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.Encoding.dll2023-01-17 10:34:20.868 11241100x800000000000000092717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.860{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.Encoding.CodePages.dll2023-01-17 10:34:20.860 11241100x800000000000000092716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.859{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ServiceProcess.dll2023-01-17 10:34:20.859 11241100x800000000000000092715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.858{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ServiceModel.Web.dll2023-01-17 10:34:20.858 11241100x800000000000000092714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.858{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.SecureString.dll2023-01-17 10:34:20.858 11241100x800000000000000092713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.856{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Principal.Windows.dll2023-01-17 10:34:20.856 11241100x800000000000000092712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.855{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Principal.dll2023-01-17 10:34:20.855 11241100x800000000000000092711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.853{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Permissions.dll2023-01-17 10:34:20.853 11241100x800000000000000092710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.852{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.dll2023-01-17 10:34:20.852 11241100x800000000000000092709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.848{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Xml.dll2023-01-17 10:34:20.848 10341000x800000000000000092708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.845{F172AD64-79AC-63C6-8502-00000000B002}13645776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000092707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.845{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000092706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.845{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000092705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.842{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.X509Certificates.dll2023-01-17 10:34:20.842 11241100x800000000000000092704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.841{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.ProtectedData.dll2023-01-17 10:34:20.841 11241100x800000000000000092703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.839{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Primitives.dll2023-01-17 10:34:20.839 11241100x800000000000000092702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.831{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Pkcs.dll2023-01-17 10:34:20.831 11241100x800000000000000092701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.831{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.OpenSsl.dll2023-01-17 10:34:20.830 11241100x800000000000000092700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.829{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Encoding.dll2023-01-17 10:34:20.829 11241100x800000000000000092699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.827{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Csp.dll2023-01-17 10:34:20.827 11241100x800000000000000092698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.822{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Cng.dll2023-01-17 10:34:20.822 11241100x800000000000000092697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.814{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Algorithms.dll2023-01-17 10:34:20.814 11241100x800000000000000092696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.813{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Claims.dll2023-01-17 10:34:20.813 11241100x800000000000000092695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.810{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.AccessControl.dll2023-01-17 10:34:20.810 11241100x800000000000000092694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.809{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Serialization.Xml.dll2023-01-17 10:34:20.809 11241100x800000000000000092693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.809{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Serialization.Primitives.dll2023-01-17 10:34:20.808 11241100x800000000000000092692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.808{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Serialization.Json.dll2023-01-17 10:34:20.808 11241100x800000000000000092691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.804{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Serialization.Formatters.dll2023-01-17 10:34:20.804 11241100x800000000000000092690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.803{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Serialization.dll2023-01-17 10:34:20.803 11241100x800000000000000092689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.800{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Numerics.dll2023-01-17 10:34:20.800 11241100x800000000000000092688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.799{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Loader.dll2023-01-17 10:34:20.799 11241100x800000000000000092687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.799{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Intrinsics.dll2023-01-17 10:34:20.799 11241100x800000000000000092686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.798{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.InteropServices.RuntimeInformation.dll2023-01-17 10:34:20.798 11241100x800000000000000092685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.797{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.InteropServices.dll2023-01-17 10:34:20.796 11241100x800000000000000092684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.796{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Handles.dll2023-01-17 10:34:20.796 10341000x800000000000000092683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.796{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000092682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.796{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000092681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.796{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000092680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.795{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Extensions.dll2023-01-17 10:34:20.795 11241100x800000000000000092679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.794{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.dll2023-01-17 10:34:20.794 11241100x800000000000000092678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.793{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.CompilerServices.VisualC.dll2023-01-17 10:34:20.793 11241100x800000000000000092677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.792{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.CompilerServices.Unsafe.dll2023-01-17 10:34:20.792 11241100x800000000000000092676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.791{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Resources.Writer.dll2023-01-17 10:34:20.791 11241100x800000000000000092675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Resources.ResourceManager.dll2023-01-17 10:34:20.790 11241100x800000000000000092674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.790{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Resources.Reader.dll2023-01-17 10:34:20.789 11241100x800000000000000092673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.788{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Resources.Extensions.dll2023-01-17 10:34:20.788 11241100x800000000000000092672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.787{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.TypeExtensions.dll2023-01-17 10:34:20.787 11241100x800000000000000092671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.786{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Primitives.dll2023-01-17 10:34:20.786 11241100x800000000000000092670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.775{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Metadata.dll2023-01-17 10:34:20.775 11241100x800000000000000092669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.775{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Extensions.dll2023-01-17 10:34:20.774 11241100x800000000000000092668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.774{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Emit.Lightweight.dll2023-01-17 10:34:20.774 11241100x800000000000000092667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.773{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Emit.ILGeneration.dll2023-01-17 10:34:20.773 11241100x800000000000000092666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.772{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Emit.dll2023-01-17 10:34:20.772 11241100x800000000000000092665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.771{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.dll2023-01-17 10:34:20.771 11241100x800000000000000092664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.770{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.DispatchProxy.dll2023-01-17 10:34:20.770 11241100x800000000000000092663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.765{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.Xml.Linq.dll2023-01-17 10:34:20.765 11241100x800000000000000092662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.Xml.dll2023-01-17 10:34:20.649 11241100x800000000000000092661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.Uri.dll2023-01-17 10:34:20.649 734700x800000000000000092660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000092659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000092658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000092657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000092656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000092655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000092654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000092653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000092652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.649{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000092651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000092650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000092649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000092648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000092647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000092646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000092645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000092644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000092643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000092642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000092641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000092640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000092639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000092638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000092637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000092636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000092635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000092634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000092633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000092632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000092631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000092630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000092629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000092628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000092627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000092626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000092625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 11241100x800000000000000092624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.DataContractSerialization.dll2023-01-17 10:34:20.633 10341000x800000000000000092623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000092622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000092621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000092620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000092619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000092618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000092613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.633{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000092612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.634{F172AD64-79AC-63C6-8502-00000000B002}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000092611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.550{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.CoreLib.dll2023-01-17 10:34:20.550 11241100x800000000000000092610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Printing.dll2023-01-17 10:34:20.535 11241100x800000000000000092609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ObjectModel.dll2023-01-17 10:34:20.535 11241100x800000000000000092608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Numerics.Vectors.dll2023-01-17 10:34:20.535 11241100x800000000000000092607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Numerics.dll2023-01-17 10:34:20.535 11241100x800000000000000092606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.WebSockets.dll2023-01-17 10:34:20.535 11241100x800000000000000092605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.WebSockets.Client.dll2023-01-17 10:34:20.535 11241100x800000000000000092604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.WebProxy.dll2023-01-17 10:34:20.535 11241100x800000000000000092603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.WebHeaderCollection.dll2023-01-17 10:34:20.535 11241100x800000000000000092602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.521{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.WebClient.dll2023-01-17 10:34:20.521 11241100x800000000000000092601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.521{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Sockets.dll2023-01-17 10:34:20.521 11241100x800000000000000092600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.521{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.ServicePoint.dll2023-01-17 10:34:20.521 11241100x800000000000000092599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.505{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Security.dll2023-01-17 10:34:20.505 11241100x800000000000000092598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.505{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Requests.dll2023-01-17 10:34:20.505 11241100x800000000000000092597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.505{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Primitives.dll2023-01-17 10:34:20.505 11241100x800000000000000092596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.505{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Ping.dll2023-01-17 10:34:20.505 11241100x800000000000000092595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.505{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.NetworkInformation.dll2023-01-17 10:34:20.505 11241100x800000000000000092594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.505{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.NameResolution.dll2023-01-17 10:34:20.505 11241100x800000000000000092593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.488{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Mail.dll2023-01-17 10:34:20.488 11241100x800000000000000092592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.488{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.HttpListener.dll2023-01-17 10:34:20.488 11241100x800000000000000092591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.488{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Http.Json.dll2023-01-17 10:34:20.488 11241100x800000000000000092590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.473{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Http.dll2023-01-17 10:34:20.473 11241100x800000000000000092589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.473{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.dll2023-01-17 10:34:20.473 11241100x800000000000000092588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.473{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Memory.dll2023-01-17 10:34:20.473 11241100x800000000000000092587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.471{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Linq.Queryable.dll2023-01-17 10:34:20.471 11241100x800000000000000092586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.449{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Linq.Parallel.dll2023-01-17 10:34:20.449 11241100x800000000000000092585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.418{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Linq.Expressions.dll2023-01-17 10:34:20.418 11241100x800000000000000092584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.418{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Linq.dll2023-01-17 10:34:20.418 11241100x800000000000000092583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.418{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.UnmanagedMemoryStream.dll2023-01-17 10:34:20.418 11241100x800000000000000092582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Pipes.dll2023-01-17 10:34:20.402 11241100x800000000000000092581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Pipes.AccessControl.dll2023-01-17 10:34:20.402 11241100x800000000000000092580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Packaging.dll2023-01-17 10:34:20.402 11241100x800000000000000092579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.MemoryMappedFiles.dll2023-01-17 10:34:20.402 11241100x800000000000000092578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.IsolatedStorage.dll2023-01-17 10:34:20.402 11241100x800000000000000092577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.FileSystem.Watcher.dll2023-01-17 10:34:20.402 11241100x800000000000000092576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.FileSystem.Primitives.dll2023-01-17 10:34:20.402 11241100x800000000000000092575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.FileSystem.DriveInfo.dll2023-01-17 10:34:20.402 11241100x800000000000000092574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.FileSystem.dll2023-01-17 10:34:20.402 11241100x800000000000000092573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.FileSystem.AccessControl.dll2023-01-17 10:34:20.402 11241100x800000000000000092572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.dll2023-01-17 10:34:20.402 11241100x800000000000000092571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Compression.ZipFile.dll2023-01-17 10:34:20.388 11241100x800000000000000092570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Compression.FileSystem.dll2023-01-17 10:34:20.388 11241100x800000000000000092569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Compression.dll2023-01-17 10:34:20.388 11241100x800000000000000092568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Compression.Brotli.dll2023-01-17 10:34:20.388 11241100x800000000000000092567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Globalization.Extensions.dll2023-01-17 10:34:20.388 11241100x800000000000000092566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Globalization.dll2023-01-17 10:34:20.388 11241100x800000000000000092565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Globalization.Calendars.dll2023-01-17 10:34:20.388 11241100x800000000000000092564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Formats.Asn1.dll2023-01-17 10:34:20.388 11241100x800000000000000092563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Dynamic.Runtime.dll2023-01-17 10:34:20.388 11241100x800000000000000092562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Drawing.Primitives.dll2023-01-17 10:34:20.388 11241100x800000000000000092561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Drawing.dll2023-01-17 10:34:20.388 11241100x800000000000000092560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.373{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Drawing.Design.dll2023-01-17 10:34:20.373 11241100x800000000000000092559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.373{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Drawing.Common.dll2023-01-17 10:34:20.373 11241100x800000000000000092558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.373{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.dll2023-01-17 10:34:20.373 11241100x800000000000000092557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.367{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.DirectoryServices.dll2023-01-17 10:34:20.367 11241100x800000000000000092556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.367{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Tracing.dll2023-01-17 10:34:20.367 11241100x800000000000000092555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.365{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.TraceSource.dll2023-01-17 10:34:20.365 11241100x800000000000000092554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.364{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Tools.dll2023-01-17 10:34:20.364 11241100x800000000000000092553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.363{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.TextWriterTraceListener.dll2023-01-17 10:34:20.363 11241100x800000000000000092552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.362{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.StackTrace.dll2023-01-17 10:34:20.362 11241100x800000000000000092551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Process.dll2023-01-17 10:34:20.359 11241100x800000000000000092550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.355{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.PerformanceCounter.dll2023-01-17 10:34:20.355 11241100x800000000000000092549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.354{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.FileVersionInfo.dll2023-01-17 10:34:20.354 11241100x800000000000000092548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.350{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.EventLog.dll2023-01-17 10:34:20.350 11241100x800000000000000092547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.348{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.DiagnosticSource.dll2023-01-17 10:34:20.348 11241100x800000000000000092546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.347{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Debug.dll2023-01-17 10:34:20.347 11241100x800000000000000092545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.347{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Contracts.dll2023-01-17 10:34:20.346 11241100x800000000000000092544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.346{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Design.dll2023-01-17 10:34:20.346 11241100x800000000000000092543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.345{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Data.dll2023-01-17 10:34:20.345 11241100x800000000000000092542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.344{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Data.DataSetExtensions.dll2023-01-17 10:34:20.344 11241100x800000000000000092541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.317{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Data.Common.dll2023-01-17 10:34:20.317 11241100x800000000000000092540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.316{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Core.dll2023-01-17 10:34:20.316 11241100x800000000000000092539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.314{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Console.dll2023-01-17 10:34:20.314 11241100x800000000000000092538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.313{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Configuration.dll2023-01-17 10:34:20.313 11241100x800000000000000092537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.304{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Configuration.ConfigurationManager.dll2023-01-17 10:34:20.304 11241100x800000000000000092536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.302{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Composition.TypedParts.dll2023-01-17 10:34:20.302 11241100x800000000000000092535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.302{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Composition.Runtime.dll2023-01-17 10:34:20.301 11241100x800000000000000092534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.300{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Composition.Hosting.dll2023-01-17 10:34:20.300 11241100x800000000000000092533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.299{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Composition.Convention.dll2023-01-17 10:34:20.299 11241100x800000000000000092532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.299{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Composition.AttributedModel.dll2023-01-17 10:34:20.298 11241100x800000000000000092531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.291{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.TypeConverter.dll2023-01-17 10:34:20.291 11241100x800000000000000092530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.290{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.Primitives.dll2023-01-17 10:34:20.290 11241100x800000000000000092529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.289{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.EventBasedAsync.dll2023-01-17 10:34:20.289 11241100x800000000000000092528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.288{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.dll2023-01-17 10:34:20.288 11241100x800000000000000092527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.287{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.DataAnnotations.dll2023-01-17 10:34:20.287 11241100x800000000000000092526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.284{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.Composition.dll2023-01-17 10:34:20.284 11241100x800000000000000092525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.282{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.Annotations.dll2023-01-17 10:34:20.282 11241100x800000000000000092524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.280{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.Specialized.dll2023-01-17 10:34:20.280 11241100x800000000000000092523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.279{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.NonGeneric.dll2023-01-17 10:34:20.279 11241100x800000000000000092522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.272{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.Immutable.dll2023-01-17 10:34:20.272 11241100x800000000000000092521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.270{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.dll2023-01-17 10:34:20.270 11241100x800000000000000092520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.267{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.Concurrent.dll2023-01-17 10:34:20.267 11241100x800000000000000092519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.262{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.CodeDom.dll2023-01-17 10:34:20.261 11241100x800000000000000092518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.261{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Buffers.dll2023-01-17 10:34:20.261 11241100x800000000000000092517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.260{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.AppContext.dll2023-01-17 10:34:20.260 11241100x800000000000000092516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.244{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ReachFramework.dll2023-01-17 10:34:20.244 11241100x800000000000000092515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.233{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationUI.dll2023-01-17 10:34:20.233 11241100x800000000000000092514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.219{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationNative_cor3.dll2023-01-17 10:34:20.219 11241100x800000000000000092513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.219{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework-SystemXmlLinq.dll2023-01-17 10:34:20.218 11241100x800000000000000092512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.216{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework-SystemXml.dll2023-01-17 10:34:20.216 11241100x800000000000000092511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.215{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework-SystemDrawing.dll2023-01-17 10:34:20.215 11241100x800000000000000092510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.214{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework-SystemData.dll2023-01-17 10:34:20.214 11241100x800000000000000092509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.213{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework-SystemCore.dll2023-01-17 10:34:20.213 11241100x800000000000000092508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.210{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.Royale.dll2023-01-17 10:34:20.210 11241100x800000000000000092507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.205{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.Luna.dll2023-01-17 10:34:20.204 734700x800000000000000092506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.138{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000092505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.137{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000092504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.136{F172AD64-79AB-63C6-8402-00000000B002}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000092503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.074{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.073{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F571C0BCE15EB4DBEFA4F72F30EC6980,SHA256=A72E0A8585D91F19A2E4067504FD0A9EFE783FCFF81FB1A12B1106D30B926CFF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.038{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.dll2023-01-17 10:34:20.038 11241100x800000000000000092500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.035{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.Classic.dll2023-01-17 10:34:20.035 11241100x800000000000000092499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.030{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.AeroLite.dll2023-01-17 10:34:20.030 11241100x800000000000000092498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.029{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.Aero2.dll2023-01-17 10:34:20.029 11241100x800000000000000092497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.025{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.Aero.dll2023-01-17 10:34:20.024 23542300x800000000000000069558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:21.666{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C3183076FA2C2686FD75F8EC835BFF,SHA256=1454CFA3CAA12FFB0867E8A5E46BB79A0A1EB87B885F761377DBD20DC673801D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.991{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.991{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C5110EFAAC572E8F0ED6158DDC352D,SHA256=0568272DCF6E45AAE93DE70A9058D6E6CC9BA273EF23B85DFCC7BF43DF0EA628,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.886{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000093314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.886{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000093313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.886{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000069557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:21.530{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-052MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:19.107{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000093312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.830{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.830{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5177342739D84CA61FE233D09A2C7F3E,SHA256=B5131BBBF097834D4B029339C63C4F9CBB1DC6B44AE3E344704D0728755645C5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 11241100x800000000000000093309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000093308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 23542300x800000000000000093307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFC067F851E5389DA8093D4BEDB2B37,SHA256=A5B99B9F5FBAA58BA4C2FB0E02B7700D162B6AE65BB0A92F806B424D7C309B20,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000093305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000093304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000093303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000093302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000093301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.731{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000093300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000093299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000093298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000093297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000093296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000093295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000093294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000093293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000093292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000093291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000093290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000093289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000093288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000093287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000093286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000093285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000093284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000093282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000093281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000093280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000093279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000093278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000093277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000093276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000093275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000093274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000093273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000093272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000093271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000093270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000093269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000093268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000093266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000093265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000093263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000093258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.715{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000093257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.716{F172AD64-79AD-63C6-8602-00000000B002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000093256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.680{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe2023-01-17 10:34:21.680 11241100x800000000000000093255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.678{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.Console.exe2023-01-17 10:34:21.678 11241100x800000000000000093254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Console.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\zh-CN2023-01-17 10:34:21.662 11241100x800000000000000093237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.662{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.resources.dll2023-01-17 10:34:21.662 11241100x800000000000000093234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Console.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\uk2023-01-17 10:34:21.646 11241100x800000000000000093220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\WindowsFormsIntegration.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\WindowsBase.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\UIAutomationTypes.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\UIAutomationProvider.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.646{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\UIAutomationClientSideProviders.resources.dll2023-01-17 10:34:21.646 11241100x800000000000000093215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\UIAutomationClient.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\System.Xaml.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\System.Windows.Forms.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\System.Windows.Forms.Design.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\ReachFramework.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\PresentationUI.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\PresentationFramework.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\PresentationCore.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.631{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:34:21.631 11241100x800000000000000093203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:34:21.615 11241100x800000000000000093190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.615{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Console.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.601 11241100x800000000000000093174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\tr2023-01-17 10:34:21.601 11241100x800000000000000093173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.601{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Themes\light.dntheme2023-01-17 10:34:21.601 11241100x800000000000000093172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Themes\hc.dntheme2023-01-17 10:34:21.586 11241100x800000000000000093171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Themes\dark.dntheme2023-01-17 10:34:21.586 11241100x800000000000000093170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Themes\blue.dntheme2023-01-17 10:34:21.586 11241100x800000000000000093169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Themes2023-01-17 10:34:21.586 11241100x800000000000000093168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\WindowsFormsIntegration.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\WindowsBase.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\UIAutomationTypes.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\UIAutomationProvider.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\UIAutomationClientSideProviders.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\UIAutomationClient.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\System.Xaml.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\System.Windows.Forms.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.586{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:34:21.586 11241100x800000000000000093158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.585{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\System.Windows.Forms.Design.resources.dll2023-01-17 10:34:21.585 11241100x800000000000000093157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.584{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:34:21.584 11241100x800000000000000093156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.583{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\ReachFramework.resources.dll2023-01-17 10:34:21.583 11241100x800000000000000093155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.582{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\PresentationUI.resources.dll2023-01-17 10:34:21.582 11241100x800000000000000093154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.580{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\PresentationFramework.resources.dll2023-01-17 10:34:21.580 11241100x800000000000000093153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.578{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\PresentationCore.resources.dll2023-01-17 10:34:21.578 11241100x800000000000000093152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.578{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:34:21.576 11241100x800000000000000093151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.576{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:34:21.576 11241100x800000000000000093150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.575{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:34:21.575 11241100x800000000000000093149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.574{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:34:21.574 11241100x800000000000000093148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.573{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:34:21.573 11241100x800000000000000093147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.558{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.558 11241100x800000000000000093136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Console.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ru2023-01-17 10:34:21.542 11241100x800000000000000093121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.542{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.542 11241100x800000000000000093117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.541{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.541 11241100x800000000000000093116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.541{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.541 11241100x800000000000000093115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.540{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.539 11241100x800000000000000093114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.539{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.539 11241100x800000000000000093113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.538{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.538 11241100x800000000000000093112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.538{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.538 11241100x800000000000000093111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.535 11241100x800000000000000093110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.535 11241100x800000000000000093109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Console.resources.dll2023-01-17 10:34:21.535 11241100x800000000000000093108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.535{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.534 11241100x800000000000000093107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.534{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.533 11241100x800000000000000093106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.533{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.533 11241100x800000000000000093105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.533{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-PT2023-01-17 10:34:21.533 11241100x800000000000000093104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.532{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\WindowsFormsIntegration.resources.dll2023-01-17 10:34:21.531 11241100x800000000000000093103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.531{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.531{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00F39A252B8497B6FC7EACD6644B306,SHA256=4435F73E735C8CDACFEEB8FC6CCD1E232B8A05EF1D9D3FC1C57F8D38011CEBCB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.530{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\WindowsBase.resources.dll2023-01-17 10:34:21.529 11241100x800000000000000093100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.529{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\UIAutomationTypes.resources.dll2023-01-17 10:34:21.528 11241100x800000000000000093099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.528{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\UIAutomationProvider.resources.dll2023-01-17 10:34:21.528 11241100x800000000000000093098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.527{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\UIAutomationClientSideProviders.resources.dll2023-01-17 10:34:21.527 11241100x800000000000000093097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.526{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\UIAutomationClient.resources.dll2023-01-17 10:34:21.526 11241100x800000000000000093096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.525{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\System.Xaml.resources.dll2023-01-17 10:34:21.525 11241100x800000000000000093095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.524{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:34:21.524 11241100x800000000000000093094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.521{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\System.Windows.Forms.resources.dll2023-01-17 10:34:21.520 11241100x800000000000000093093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.519{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:34:21.519 11241100x800000000000000093092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.518{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\System.Windows.Forms.Design.resources.dll2023-01-17 10:34:21.517 11241100x800000000000000093091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.517{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:34:21.516 11241100x800000000000000093090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.516{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\ReachFramework.resources.dll2023-01-17 10:34:21.516 11241100x800000000000000093089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.515{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\PresentationUI.resources.dll2023-01-17 10:34:21.515 11241100x800000000000000093088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.513{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\PresentationFramework.resources.dll2023-01-17 10:34:21.513 11241100x800000000000000093087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.512{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\PresentationCore.resources.dll2023-01-17 10:34:21.512 11241100x800000000000000093086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.511{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:34:21.510 11241100x800000000000000093085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.509{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:34:21.509 11241100x800000000000000093084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.509{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:34:21.508 11241100x800000000000000093083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.508{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:34:21.508 11241100x800000000000000093082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.507{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:34:21.507 11241100x800000000000000093081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.504{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:34:21.504 11241100x800000000000000093080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.503{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:34:21.503 11241100x800000000000000093079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.502{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:34:21.501 11241100x800000000000000093078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.501{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:34:21.500 11241100x800000000000000093077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.499{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:34:21.499 11241100x800000000000000093076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.499{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:34:21.499 11241100x800000000000000093075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.498{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:34:21.498 11241100x800000000000000093074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.495{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:34:21.495 11241100x800000000000000093073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.494{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:34:21.494 11241100x800000000000000093072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.493{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.492 11241100x800000000000000093071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.492{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.492 11241100x800000000000000093070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.491{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.resources.dll2023-01-17 10:34:21.491 11241100x800000000000000093069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.490{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.490 11241100x800000000000000093068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.489{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.489 11241100x800000000000000093067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.489{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.489 11241100x800000000000000093066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.488{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.488 11241100x800000000000000093065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.487{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.487 11241100x800000000000000093064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.486{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.486 11241100x800000000000000093063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.486{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.486 11241100x800000000000000093062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.485{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.485 11241100x800000000000000093061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.484{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.484 11241100x800000000000000093060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.484{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Console.resources.dll2023-01-17 10:34:21.484 11241100x800000000000000093059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.483{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.482 11241100x800000000000000093058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.481{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.481 11241100x800000000000000093057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.481{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.481 11241100x800000000000000093056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.480{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\pt-BR2023-01-17 10:34:21.480 11241100x800000000000000093055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.480{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\OtherLicenses.txt2023-01-17 10:34:21.478 11241100x800000000000000093054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.478{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\LICENSE.txt2023-01-17 10:34:21.478 11241100x800000000000000093053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.478{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\GPLv3.txt2023-01-17 10:34:21.478 11241100x800000000000000093052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.477{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\CREDITS.txt2023-01-17 10:34:21.477 11241100x800000000000000093051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.477{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\ApacheV2.txt2023-01-17 10:34:21.476 11241100x800000000000000093050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.476{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo2023-01-17 10:34:21.476 11241100x800000000000000093049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.476{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\WindowsFormsIntegration.resources.dll2023-01-17 10:34:21.475 11241100x800000000000000093048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.473{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\WindowsBase.resources.dll2023-01-17 10:34:21.473 11241100x800000000000000093047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.473{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\UIAutomationTypes.resources.dll2023-01-17 10:34:21.472 11241100x800000000000000093046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.472{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\UIAutomationProvider.resources.dll2023-01-17 10:34:21.472 11241100x800000000000000093045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.471{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\UIAutomationClientSideProviders.resources.dll2023-01-17 10:34:21.471 11241100x800000000000000093044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.470{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\UIAutomationClient.resources.dll2023-01-17 10:34:21.470 11241100x800000000000000093043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.469{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\System.Xaml.resources.dll2023-01-17 10:34:21.469 11241100x800000000000000093042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.468{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:34:21.468 11241100x800000000000000093041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.465{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\System.Windows.Forms.resources.dll2023-01-17 10:34:21.463 11241100x800000000000000093040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.462{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:34:21.462 11241100x800000000000000093039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.461{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\System.Windows.Forms.Design.resources.dll2023-01-17 10:34:21.461 11241100x800000000000000093038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.458{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:34:21.458 11241100x800000000000000093037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.458{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\ReachFramework.resources.dll2023-01-17 10:34:21.458 11241100x800000000000000093036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.458{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\PresentationUI.resources.dll2023-01-17 10:34:21.458 11241100x800000000000000093035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.456{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\PresentationFramework.resources.dll2023-01-17 10:34:21.456 11241100x800000000000000093034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.455{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\PresentationCore.resources.dll2023-01-17 10:34:21.455 11241100x800000000000000093033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.454{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:34:21.451 11241100x800000000000000093032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.451{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:34:21.451 11241100x800000000000000093031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.451{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:34:21.451 11241100x800000000000000093030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.451{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:34:21.451 11241100x800000000000000093029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.450{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:34:21.450 11241100x800000000000000093028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.447{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:34:21.447 11241100x800000000000000093027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.446{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:34:21.446 11241100x800000000000000093026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.445{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:34:21.443 11241100x800000000000000093025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.443{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:34:21.443 11241100x800000000000000093024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.442{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:34:21.442 11241100x800000000000000093023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.442{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:34:21.442 11241100x800000000000000093022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.441{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:34:21.441 11241100x800000000000000093021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.436{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:34:21.436 11241100x800000000000000093020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.435{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:34:21.435 11241100x800000000000000093019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.435{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.432 11241100x800000000000000093018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.432{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.432 11241100x800000000000000093017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.432{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.resources.dll2023-01-17 10:34:21.432 11241100x800000000000000093016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.431{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.431 11241100x800000000000000093015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.431{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.430 11241100x800000000000000093014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.430{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.430 11241100x800000000000000093013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.429{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.429 11241100x800000000000000093012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.428{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.428 11241100x800000000000000093011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.427{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.427 11241100x800000000000000093010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.427{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.427 11241100x800000000000000093009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.426{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.426 11241100x800000000000000093008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.426{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.425 11241100x800000000000000093007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.425{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Console.resources.dll2023-01-17 10:34:21.425 11241100x800000000000000093006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.424{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.420 11241100x800000000000000093005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.420{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.420 11241100x800000000000000093004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.420{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.420 11241100x800000000000000093003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.420{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\it2023-01-17 10:34:21.420 11241100x800000000000000093002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.420{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.420 11241100x800000000000000093001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.419{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.419 11241100x800000000000000093000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.418{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.resources.dll2023-01-17 10:34:21.418 11241100x800000000000000092999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.417{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.417 11241100x800000000000000092998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.417{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.417 11241100x800000000000000092997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.416{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.416 11241100x800000000000000092996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.415{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.415 11241100x800000000000000092995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.414{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.414 11241100x800000000000000092994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.414{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.414 11241100x800000000000000092993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.413{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.413 11241100x800000000000000092992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.412{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.412 11241100x800000000000000092991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.412{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.411 11241100x800000000000000092990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.411{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Console.resources.dll2023-01-17 10:34:21.411 11241100x800000000000000092989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.411{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.410 11241100x800000000000000092988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.409{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.409 11241100x800000000000000092987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.408{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.408 11241100x800000000000000092986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.408{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hu2023-01-17 10:34:21.408 11241100x800000000000000092985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.407{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\WindowsFormsIntegration.resources.dll2023-01-17 10:34:21.406 11241100x800000000000000092984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.405{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\WindowsBase.resources.dll2023-01-17 10:34:21.405 11241100x800000000000000092983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.404{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\UIAutomationTypes.resources.dll2023-01-17 10:34:21.404 11241100x800000000000000092982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.403{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\UIAutomationProvider.resources.dll2023-01-17 10:34:21.403 11241100x800000000000000092981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.403{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\UIAutomationClientSideProviders.resources.dll2023-01-17 10:34:21.403 11241100x800000000000000092980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.402{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\UIAutomationClient.resources.dll2023-01-17 10:34:21.402 11241100x800000000000000092979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.401{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\System.Xaml.resources.dll2023-01-17 10:34:21.401 11241100x800000000000000092978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.400{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:34:21.400 11241100x800000000000000092977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.397{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\System.Windows.Forms.resources.dll2023-01-17 10:34:21.394 11241100x800000000000000092976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.394{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.394{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD4D093E950C117CD0EAF0FE5250058,SHA256=A11A49AD05283237FE0AD49F286F2B7E760EDFF9A06486F7EA2A611B5CE990AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.393{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:34:21.393 11241100x800000000000000092973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.391{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\System.Windows.Forms.Design.resources.dll2023-01-17 10:34:21.391 11241100x800000000000000092972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.390{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:34:21.390 11241100x800000000000000092971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.389{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\ReachFramework.resources.dll2023-01-17 10:34:21.389 11241100x800000000000000092970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.388{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\PresentationUI.resources.dll2023-01-17 10:34:21.388 11241100x800000000000000092969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.386{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\PresentationFramework.resources.dll2023-01-17 10:34:21.386 11241100x800000000000000092968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.385{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\PresentationCore.resources.dll2023-01-17 10:34:21.385 11241100x800000000000000092967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.384{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:34:21.380 11241100x800000000000000092966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.380{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:34:21.380 11241100x800000000000000092965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.379{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:34:21.379 11241100x800000000000000092964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.378{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:34:21.378 11241100x800000000000000092963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.377{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:34:21.377 11241100x800000000000000092962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.375{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:34:21.374 11241100x800000000000000092961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.373{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:34:21.373 11241100x800000000000000092960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.373{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:34:21.371 11241100x800000000000000092959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.371{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:34:21.371 11241100x800000000000000092958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.369{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:34:21.369 11241100x800000000000000092957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.368{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:34:21.368 11241100x800000000000000092956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.368{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:34:21.368 11241100x800000000000000092955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.365{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:34:21.365 11241100x800000000000000092954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.364{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:34:21.364 11241100x800000000000000092953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.364{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.361 11241100x800000000000000092952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.361{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.361 11241100x800000000000000092951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.361{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.resources.dll2023-01-17 10:34:21.361 11241100x800000000000000092950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.361{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.361 11241100x800000000000000092949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.361{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.359 11241100x800000000000000092948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.359{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.359 11241100x800000000000000092947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.358{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.358 11241100x800000000000000092946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.358{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.358 11241100x800000000000000092945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.357{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.357 11241100x800000000000000092944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.356{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.356 11241100x800000000000000092943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.356{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.355 11241100x800000000000000092942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.355{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.355 11241100x800000000000000092941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.354{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Console.resources.dll2023-01-17 10:34:21.354 11241100x800000000000000092940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.353{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.353 11241100x800000000000000092939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.352{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.352 11241100x800000000000000092938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.351{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.351 11241100x800000000000000092937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.351{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fr2023-01-17 10:34:21.351 11241100x800000000000000092936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.350{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\FileLists\DOTNET Framework v4.0 Client.FileList.xml2023-01-17 10:34:21.350 11241100x800000000000000092935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.349{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\FileLists\DOTNET Framework v3.5 Client.FileList.xml2023-01-17 10:34:21.349 11241100x800000000000000092934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.349{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\FileLists2023-01-17 10:34:21.349 11241100x800000000000000092933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.349{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.347 11241100x800000000000000092932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.346{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.346 11241100x800000000000000092931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.345{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.resources.dll2023-01-17 10:34:21.345 11241100x800000000000000092930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.344{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.344 11241100x800000000000000092929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.344{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.343 11241100x800000000000000092928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.343{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.342 11241100x800000000000000092927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.342{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.341 11241100x800000000000000092926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.341{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.341 11241100x800000000000000092925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.340{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.340 11241100x800000000000000092924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.339{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.339 11241100x800000000000000092923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.339{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.338 11241100x800000000000000092922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.338{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.338 11241100x800000000000000092921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.337{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Console.resources.dll2023-01-17 10:34:21.337 11241100x800000000000000092920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.336{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.327 11241100x800000000000000092919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.326{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.326 11241100x800000000000000092918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.326{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.326 11241100x800000000000000092917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.325{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\fa2023-01-17 10:34:21.325 11241100x800000000000000092916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.325{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.324 11241100x800000000000000092915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.324{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.323 11241100x800000000000000092914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.323{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.resources.dll2023-01-17 10:34:21.322 11241100x800000000000000092913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.322{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.322 11241100x800000000000000092912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.321{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.321 11241100x800000000000000092911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.321{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.320 11241100x800000000000000092910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.320{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.320 11241100x800000000000000092909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.319{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.319 11241100x800000000000000092908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.318{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.318 11241100x800000000000000092907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.318{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.317 11241100x800000000000000092906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.317{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.317 11241100x800000000000000092905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.316{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.316 11241100x800000000000000092904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.316{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Console.resources.dll2023-01-17 10:34:21.316 11241100x800000000000000092903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.315{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.314 11241100x800000000000000092902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.314{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.313 11241100x800000000000000092901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.313{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.313 11241100x800000000000000092900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.313{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es-ES2023-01-17 10:34:21.313 11241100x800000000000000092899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.312{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\WindowsFormsIntegration.resources.dll2023-01-17 10:34:21.311 11241100x800000000000000092898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.310{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\WindowsBase.resources.dll2023-01-17 10:34:21.309 11241100x800000000000000092897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.309{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\UIAutomationTypes.resources.dll2023-01-17 10:34:21.309 11241100x800000000000000092896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.308{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\UIAutomationProvider.resources.dll2023-01-17 10:34:21.308 11241100x800000000000000092895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.307{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\UIAutomationClientSideProviders.resources.dll2023-01-17 10:34:21.307 11241100x800000000000000092894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.306{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\UIAutomationClient.resources.dll2023-01-17 10:34:21.306 11241100x800000000000000092893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.305{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\System.Xaml.resources.dll2023-01-17 10:34:21.305 11241100x800000000000000092892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.305{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:34:21.305 11241100x800000000000000092891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.302{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\System.Windows.Forms.resources.dll2023-01-17 10:34:21.301 11241100x800000000000000092890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.300{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:34:21.300 11241100x800000000000000092889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.299{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\System.Windows.Forms.Design.resources.dll2023-01-17 10:34:21.299 11241100x800000000000000092888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.298{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:34:21.298 11241100x800000000000000092887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.297{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\ReachFramework.resources.dll2023-01-17 10:34:21.297 11241100x800000000000000092886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.296{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\PresentationUI.resources.dll2023-01-17 10:34:21.296 11241100x800000000000000092885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.294{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\PresentationFramework.resources.dll2023-01-17 10:34:21.294 11241100x800000000000000092884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.293{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\PresentationCore.resources.dll2023-01-17 10:34:21.293 11241100x800000000000000092883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.292{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:34:21.291 11241100x800000000000000092882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.291{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:34:21.291 11241100x800000000000000092881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.290{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:34:21.290 11241100x800000000000000092880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.289{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:34:21.289 11241100x800000000000000092879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.288{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:34:21.288 11241100x800000000000000092878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.286{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:34:21.285 11241100x800000000000000092877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.284{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:34:21.284 11241100x800000000000000092876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.283{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:34:21.283 11241100x800000000000000092875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.283{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:34:21.282 11241100x800000000000000092874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.282{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:34:21.281 11241100x800000000000000092873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.281{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:34:21.281 11241100x800000000000000092872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.280{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:34:21.279 11241100x800000000000000092871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.277{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:34:21.277 11241100x800000000000000092870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.276{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:34:21.276 11241100x800000000000000092869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.276{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\es2023-01-17 10:34:21.275 11241100x800000000000000092868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.275{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\debug\DotNet.ex.xml2023-01-17 10:34:21.275 11241100x800000000000000092867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.275{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\debug2023-01-17 10:34:21.275 11241100x800000000000000092866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.274{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\WindowsFormsIntegration.resources.dll2023-01-17 10:34:21.273 11241100x800000000000000092865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.272{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\WindowsBase.resources.dll2023-01-17 10:34:21.272 11241100x800000000000000092864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.271{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\UIAutomationTypes.resources.dll2023-01-17 10:34:21.271 11241100x800000000000000092863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.268{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\UIAutomationProvider.resources.dll2023-01-17 10:34:21.268 11241100x800000000000000092862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.267{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\UIAutomationClientSideProviders.resources.dll2023-01-17 10:34:21.267 11241100x800000000000000092861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.266{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\UIAutomationClient.resources.dll2023-01-17 10:34:21.266 11241100x800000000000000092860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.265{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\System.Xaml.resources.dll2023-01-17 10:34:21.265 11241100x800000000000000092859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.264{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:34:21.264 11241100x800000000000000092858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.262{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\System.Windows.Forms.resources.dll2023-01-17 10:34:21.260 11241100x800000000000000092857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.260{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:34:21.260 11241100x800000000000000092856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.258{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\System.Windows.Forms.Design.resources.dll2023-01-17 10:34:21.258 11241100x800000000000000092855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.258{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:34:21.257 11241100x800000000000000092854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.257{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\ReachFramework.resources.dll2023-01-17 10:34:21.257 11241100x800000000000000092853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.256{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\PresentationUI.resources.dll2023-01-17 10:34:21.256 11241100x800000000000000092852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.254{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\PresentationFramework.resources.dll2023-01-17 10:34:21.254 11241100x800000000000000092851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.252{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\PresentationCore.resources.dll2023-01-17 10:34:21.252 11241100x800000000000000092850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.251{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:34:21.250 11241100x800000000000000092849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.249{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:34:21.249 11241100x800000000000000092848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.248{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:34:21.248 11241100x800000000000000092847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.248{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:34:21.247 11241100x800000000000000092846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.247{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:34:21.247 11241100x800000000000000092845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.244{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:34:21.244 11241100x800000000000000092844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.243{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:34:21.243 11241100x800000000000000092843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.242{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:34:21.241 11241100x800000000000000092842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.241{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:34:21.240 11241100x800000000000000092841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.239{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:34:21.239 11241100x800000000000000092840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.239{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:34:21.239 11241100x800000000000000092839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.238{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:34:21.238 11241100x800000000000000092838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.236{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:34:21.235 11241100x800000000000000092837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.235{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:34:21.235 11241100x800000000000000092836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.234{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.233 11241100x800000000000000092835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.233{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.233 11241100x800000000000000092834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.232{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.resources.dll2023-01-17 10:34:21.232 11241100x800000000000000092833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.231{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.231 11241100x800000000000000092832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.231{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.230 11241100x800000000000000092831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.230{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.230 11241100x800000000000000092830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.229{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.229 11241100x800000000000000092829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.228{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.228 11241100x800000000000000092828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.228{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.227 11241100x800000000000000092827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.227{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.227 11241100x800000000000000092826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.226{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.226 11241100x800000000000000092825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.226{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.226 11241100x800000000000000092824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.225{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Console.resources.dll2023-01-17 10:34:21.225 11241100x800000000000000092823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.224{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.224 11241100x800000000000000092822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.223{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.223 11241100x800000000000000092821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.222{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.222 11241100x800000000000000092820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.222{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\de2023-01-17 10:34:21.222 11241100x800000000000000092819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.221{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\WindowsFormsIntegration.resources.dll2023-01-17 10:34:21.220 11241100x800000000000000092818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.219{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\WindowsBase.resources.dll2023-01-17 10:34:21.219 11241100x800000000000000092817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.218{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\UIAutomationTypes.resources.dll2023-01-17 10:34:21.218 11241100x800000000000000092816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.217{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\UIAutomationProvider.resources.dll2023-01-17 10:34:21.217 11241100x800000000000000092815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.216{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\UIAutomationClientSideProviders.resources.dll2023-01-17 10:34:21.216 11241100x800000000000000092814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.216{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\UIAutomationClient.resources.dll2023-01-17 10:34:21.216 11241100x800000000000000092813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.215{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\System.Xaml.resources.dll2023-01-17 10:34:21.215 11241100x800000000000000092812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.214{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\System.Windows.Input.Manipulations.resources.dll2023-01-17 10:34:21.214 11241100x800000000000000092811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.211{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\System.Windows.Forms.resources.dll2023-01-17 10:34:21.209 11241100x800000000000000092810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.209{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\System.Windows.Forms.Primitives.resources.dll2023-01-17 10:34:21.208 11241100x800000000000000092809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.207{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\System.Windows.Forms.Design.resources.dll2023-01-17 10:34:21.207 11241100x800000000000000092808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.204{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\System.Windows.Controls.Ribbon.resources.dll2023-01-17 10:34:21.204 11241100x800000000000000092807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.204{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\ReachFramework.resources.dll2023-01-17 10:34:21.203 11241100x800000000000000092806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.203{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\PresentationUI.resources.dll2023-01-17 10:34:21.202 11241100x800000000000000092805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.201{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\PresentationFramework.resources.dll2023-01-17 10:34:21.200 11241100x800000000000000092804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.199{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\PresentationCore.resources.dll2023-01-17 10:34:21.199 11241100x800000000000000092803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.199{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.VisualStudio.Validation.resources.dll2023-01-17 10:34:21.198 11241100x800000000000000092802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.197{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.VisualStudio.Composition.resources.dll2023-01-17 10:34:21.197 11241100x800000000000000092801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.196{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.VisualBasic.Forms.resources.dll2023-01-17 10:34:21.196 11241100x800000000000000092800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.195{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.Workspaces.resources.dll2023-01-17 10:34:21.195 11241100x800000000000000092799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.194{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.VisualBasic.Workspaces.resources.dll2023-01-17 10:34:21.194 11241100x800000000000000092798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.192{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.VisualBasic.resources.dll2023-01-17 10:34:21.192 11241100x800000000000000092797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.191{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.VisualBasic.Features.resources.dll2023-01-17 10:34:21.191 11241100x800000000000000092796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.190{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.Scripting.resources.dll2023-01-17 10:34:21.189 11241100x800000000000000092795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.188{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.resources.dll2023-01-17 10:34:21.188 11241100x800000000000000092794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.187{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.Features.resources.dll2023-01-17 10:34:21.187 11241100x800000000000000092793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.186{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.CSharp.Workspaces.resources.dll2023-01-17 10:34:21.186 11241100x800000000000000092792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.186{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.CSharp.Scripting.resources.dll2023-01-17 10:34:21.186 11241100x800000000000000092791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.183{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.CSharp.resources.dll2023-01-17 10:34:21.183 11241100x800000000000000092790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.183{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\Microsoft.CodeAnalysis.CSharp.Features.resources.dll2023-01-17 10:34:21.182 11241100x800000000000000092789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.182{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Scripting.Roslyn.x.resources.dll2023-01-17 10:34:21.181 11241100x800000000000000092788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.181{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Roslyn.resources.dll2023-01-17 10:34:21.180 11241100x800000000000000092787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.180{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.resources.dll2023-01-17 10:34:21.179 11241100x800000000000000092786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.179{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Decompiler.resources.dll2023-01-17 10:34:21.179 11241100x800000000000000092785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.178{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Decompiler.ILSpy.x.resources.dll2023-01-17 10:34:21.178 11241100x800000000000000092784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.178{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Decompiler.ILSpy.Core.resources.dll2023-01-17 10:34:21.177 11241100x800000000000000092783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.177{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Debugger.x.resources.dll2023-01-17 10:34:21.176 11241100x800000000000000092782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.176{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Debugger.DotNet.x.resources.dll2023-01-17 10:34:21.176 11241100x800000000000000092781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.175{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Debugger.DotNet.Mono.x.resources.dll2023-01-17 10:34:21.175 11241100x800000000000000092780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.175{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Debugger.DotNet.CorDebug.x.resources.dll2023-01-17 10:34:21.174 11241100x800000000000000092779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.174{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Contracts.Logic.resources.dll2023-01-17 10:34:21.174 11241100x800000000000000092778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.173{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Contracts.DnSpy.resources.dll2023-01-17 10:34:21.173 11241100x800000000000000092777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.173{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Console.resources.dll2023-01-17 10:34:21.173 11241100x800000000000000092776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.172{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.BamlDecompiler.x.resources.dll2023-01-17 10:34:21.171 11241100x800000000000000092775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.169{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.AsmEditor.x.resources.dll2023-01-17 10:34:21.169 11241100x800000000000000092774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.169{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs\dnSpy.Analyzer.x.resources.dll2023-01-17 10:34:21.169 11241100x800000000000000092773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.168{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\cs2023-01-17 10:34:21.168 11241100x800000000000000092772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.146{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\wpfgfx_cor3.dll2023-01-17 10:34:21.145 11241100x800000000000000092771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.143{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\WindowsFormsIntegration.dll2023-01-17 10:34:21.142 11241100x800000000000000092770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.129{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.129{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F4E9C17EFA7B7294915DE0DD1B302E,SHA256=4754C48B48453CD292303AA1B5B6C0F473DF837C0A347084DB0673D7851C5495,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.124{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000092767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.123{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3098F3E424535548902E260E7D7F2A28,SHA256=6590BDC8B67C3D785595B62E475DE97549E7238D6CF092255D3BC55EE018BADA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.120{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 11241100x800000000000000092765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.120{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\WindowsBase.dll2023-01-17 10:34:21.120 23542300x800000000000000092764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.120{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=45DFF04A72922BB4E4E9BF9BB1D8F8CA,SHA256=432854BA8B4B8A4642D71037B121925ED7A883547F92347968B6786E081D7F6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000092763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.118{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\vcruntime140_cor3.dll2023-01-17 10:34:21.118 11241100x800000000000000092762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.115{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\UIAutomationTypes.dll2023-01-17 10:34:21.115 11241100x800000000000000092761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.111{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\UIAutomationProvider.dll2023-01-17 10:34:21.111 11241100x800000000000000092760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.102{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\UIAutomationClientSideProviders.dll2023-01-17 10:34:21.102 11241100x800000000000000092759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.098{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\UIAutomationClient.dll2023-01-17 10:34:21.097 11241100x800000000000000092758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.087{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ucrtbase.dll2023-01-17 10:34:21.087 11241100x800000000000000092757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.086{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.XPath.XDocument.dll2023-01-17 10:34:21.086 11241100x800000000000000092756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.086{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.XPath.dll2023-01-17 10:34:21.085 11241100x800000000000000092755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.085{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.XmlSerializer.dll2023-01-17 10:34:21.085 11241100x800000000000000092754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.084{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.XmlDocument.dll2023-01-17 10:34:21.084 11241100x800000000000000092753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.083{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.XDocument.dll2023-01-17 10:34:21.083 11241100x800000000000000092752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.081{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.Serialization.dll2023-01-17 10:34:21.081 11241100x800000000000000092751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.080{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.ReaderWriter.dll2023-01-17 10:34:21.080 11241100x800000000000000092750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.080{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.Linq.dll2023-01-17 10:34:21.079 11241100x800000000000000092749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.079{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.dll2023-01-17 10:34:21.079 11241100x800000000000000092748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.065{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xaml.dll2023-01-17 10:34:21.065 11241100x800000000000000092747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.064{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Presentation.dll2023-01-17 10:34:21.064 11241100x800000000000000092746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.062{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Input.Manipulations.dll2023-01-17 10:34:21.062 11241100x800000000000000092745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:21.055{F172AD64-79AA-63C6-8302-00000000B002}6624C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Forms.Primitives.dll2023-01-17 10:34:21.055 23542300x800000000000000069560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:22.756{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6369D26BFDEB64FA84689F7E9F3044,SHA256=72578411E5F439CCACDB93AD36CC26D351AB17E593E7A4A4EB221746BAF62FEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:22.950{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:22.950{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627534C2408FE668C83660200182ACDC,SHA256=E51F3989C136BB4FE7DD6ADDB8B72A551313C6BA89EE038E67D1F2EC1597EF68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:22.542{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:22.908{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:34:22.908 354300x800000000000000093319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:19.354{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49596-false10.0.1.12-8000- 23542300x800000000000000093318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:22.157{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4B2696E8B06871FF5BB2CB9D7B8C5E31,SHA256=B62B46BC3090F9291913D44A40B1EA40753914D0D71F8F24D8896F47CD83EAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:23.839{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6428F14A4C0AA5B28EDA708295B45CAE,SHA256=DC95E00674B79D8E998B522B76327789B6893C1DDAB1C6F6452FF76EB28E8B36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:23.748{F172AD64-6CE8-63C6-0D00-00000000B002}8922084C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000093324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.768{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49597-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000093323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:20.768{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49597-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 734700x800000000000000093379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.634{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000093378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.634{F172AD64-79B0-63C6-8702-00000000B002}15524388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.618{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000093376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.618{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000093375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.349{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000093374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.349{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000093373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.349{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000093372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.349{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000093371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.349{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000093370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.349{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000093369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.349{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000093368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.349{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000093367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000093366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000093365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000093364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000093363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000093362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000093361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000093359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000093358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000093357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000093356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000093355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000093354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000093353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000093352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000093351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000093350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000093349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000093348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000093347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000093346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000093345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000093344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000093343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000093342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000093341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000093340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000093339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000093337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000093336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000093334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000093329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.333{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000093328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.334{F172AD64-79B0-63C6-8702-00000000B002}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000093327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.083{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.083{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A705167CAD8411CB68028EA62E81A1,SHA256=42EC57D61C56E5001F4D32BC42D0C359682B364D5FA5D7E8BFDDF3F7E05CA248,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.905{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000093484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.905{F172AD64-79B1-63C6-8902-00000000B002}60842984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.905{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000093482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.889{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000093481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.750{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000093480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.750{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000093479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.750{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000093478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.750{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000093477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000093476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000093475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000093474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000093473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000093472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000093471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000093470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000093469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000093468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000093467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000093466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000093464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000093463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000093462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000093461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000093460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000093459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000093458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000093457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000093456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000093455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000093454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000093453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000093452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000093451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000093450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000093449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000093448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000093447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000093446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000093444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000093443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000093441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000093436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.734{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000093435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.735{F172AD64-79B1-63C6-8902-00000000B002}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000093434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.377{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000093433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.376{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5D5BFF2AC8A379CBD5880617897DDF1,SHA256=24B62AC26381B1F86B936D5D02074021E568668BEE3A7FE16D1BC2046D880020,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.285{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000093431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.284{F172AD64-79B0-63C6-8802-00000000B002}67605692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.284{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000093429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.283{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000093428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.250{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.250{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03241068E462251122DB817315B10175,SHA256=39FAEF65CCC51388FDB1D86F0028899086F08ECB82F6B2D05E00E9D0A90AB6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:25.019{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C1E80A0F74F2ADA4897FC0681A2E48,SHA256=B23CE379A4D79A28ADCF1529A05E85DA6E31B936E9AC05EE633E8F06CB0F6EFC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.044{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000093425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.044{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000093424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.044{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000093423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.044{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000093422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.044{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000093421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.044{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000093420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.044{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000093419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.044{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000093418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000093417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000093416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000093415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000093414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000093413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000093412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000093411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000093409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000093408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000093407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000093406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000093405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000093404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000093403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000093402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000093401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000093400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000093399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000093398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000093397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000093396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000093395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000093394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000093393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000093392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000093391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000093389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.030{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000093388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.014{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.014{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000093386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.014{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.014{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.014{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000093383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.014{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.014{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.014{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000093380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:24.835{F172AD64-79B0-63C6-8802-00000000B002}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:26.111{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F969F7AF5689B04DB81C781EEA92136D,SHA256=273D120BD5D2793170FE335C4B2348666C51EC37C79C7E3C195005D481ED542D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.905{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000093620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.905{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000093619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.905{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000093618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.835{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.NonGeneric.dll5.0.20.51904System.Collections.NonGenericMicrosoft® .NETMicrosoft CorporationSystem.Collections.NonGeneric.dllMD5=2E493EC3902127E6AE28EEA5FCB8D8DE,SHA256=DDA6E3FD90DCFA60C661A5C760268248E1379C07BD9C266A784D5B63F94B22A1,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.835{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000093616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.805{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.Win32.Primitives.dll5.0.20.51904Microsoft.Win32.PrimitivesMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.Primitives.dllMD5=61919123A166BC20A0F81C5ABBF954DE,SHA256=E38A1BDAC35EC926B8BF766FCEEC70293BA64D49380369EA4FDD8116280FD8A2,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.805{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.dll5.0.20.51904System.ThreadingMicrosoft® .NETMicrosoft CorporationSystem.Threading.dllMD5=F792DBCB5D39526E0066F92E0F09E39F,SHA256=015914B354E42B685BB289943416D9B8705C4A0710B42955C0CB720C61139E9E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.805{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Debug.dll5.0.20.51904System.Diagnostics.DebugMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Debug.dllMD5=409AA1E6671FF019C128C60EF64F6C82,SHA256=EF95C63DE453B85D493749502295AC69A79B9959B18B19346CE355F84E83FD1E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.805{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.CompilerServices.VisualC.dll5.0.20.51904System.Runtime.CompilerServices.VisualCMicrosoft® .NETMicrosoft CorporationSystem.Runtime.CompilerServices.VisualC.dllMD5=0D3B1FD3984D4B42539920B973BA359B,SHA256=3D93FBA495CA0B08F5F4300EEF51428E29586223356DF3A774473EF3BA02CB92,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.790{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.InteropServices.dll5.0.20.51904System.Runtime.InteropServicesMicrosoft® .NETMicrosoft CorporationSystem.Runtime.InteropServices.dllMD5=48FB2D5F200C68A00CE0388770341478,SHA256=31286DD429D6588632ADB78B514A0D9F8B8FC9AC2E88976D10F83D46CABDCCB5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.790{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Extensions.dll5.0.20.51904System.Runtime.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Extensions.dllMD5=621F8ACC3152F04A3FD9A901B08985E2,SHA256=DDD7F16CF52C23B5953F67057BCDDCC8FC7F11B32DFD93A1E3079FB0E81A56FB,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.790{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\DirectWriteForwarder.dll5,0,20,52003 @Commit: 9e81b0885121e9958e48895ae48be9639a396528DirectWriteForwarderMicrosoft® .NET Framework-DirectWriteForwarderMD5=FE18B6ED4C63D18156217DC30F1482E5,SHA256=1F1093930EBC3779F2D4659ED3A31FD05CFA1DBFFC0F7575955CB28E7B990C64,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.786{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\WindowsBase.dll5.0.20.52003WindowsBaseWindowsBaseMicrosoft CorporationWindowsBase.dllMD5=E8674DBFCEAC4BC362C1F15CDC8FD2EF,SHA256=85812BC0CBE06A06CCDD20473155A5CFEF31B1760767E29EA688457F2830CCC1,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.750{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationCore.dll5.0.20.52003PresentationCorePresentationCoreMicrosoft CorporationPresentationCore.dllMD5=8248DAE04024364AEC8B53CE0A292EC7,SHA256=D9108C34CE90CFE678A8151FF48CCB814F7865263B233176A27C4745344A1A3F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.805{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.805{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3C38E9108AA3B1936D9DFB3BA54536,SHA256=6074595FA44DAD5372E8B2988BF7AF1036AE6FB8B970668D475C0BE6754DCCCE,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.666{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\netstandard.dll5.0.20.51904netstandardMicrosoft® .NETMicrosoft Corporationnetstandard.dllMD5=349C39C3FF7DD2FB44D5FA3C5BAF64C6,SHA256=737D504F6FA742B23CF4149CD0384FDBDC929BC4231BDD0D7BD772EA9DD1805F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.666{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.FileSystem.dll5.0.20.51904System.IO.FileSystemMicrosoft® .NETMicrosoft CorporationSystem.IO.FileSystem.dllMD5=944C070C2AC2208867B57D15C319CCC6,SHA256=AA4DB7AFCB061C7B1029C414BEEF19AD5BB319B69F6EB7756113C9F207162E63,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.666{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Tracing.dll5.0.20.51904System.Diagnostics.TracingMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Tracing.dllMD5=04E44E8DEAF68D6285623287E6494209,SHA256=474DABC74F78E89A40DE5BE362CA399DE630400B46E7CB81C224692EBDBEED25,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.650{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.dll5.0.20.51904System.RuntimeMicrosoft® .NETMicrosoft CorporationSystem.Runtime.dllMD5=715F4DC52DA61002D5BB4E1A64108E82,SHA256=7445AA86EFEB0045D10AD97EC6A3B5BC72556E06501F471D754AE033DF87D5D0,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.634{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\clrjit.dll5,0,20,51904 @Commit: cf258a14b70ad9069470a108f13765e0e5988f51Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NETMicrosoft Corporationclrjit.dllMD5=AE031B7FAFB431D7E30B08D5E9A0B831,SHA256=97C766DBD9786E66E967263371B9F06A9F21AA2950795D4254A11EDCD20E430E,IMPHASH=683F62770505579F5D043E11A2DF1DD0trueMicrosoft CorporationValid 734700x800000000000000093600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000093599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000093598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000093597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000093596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000093595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000093594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000093593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000093592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000093591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000093590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.690{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000093589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.689{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000093588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.689{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000093587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.689{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000093586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.689{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000093585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.689{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000093584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.689{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000093583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.689{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000093582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000093581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000093580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.619{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.CoreLib.dll5.0.20.51904System.Private.CoreLibMicrosoft® .NETMicrosoft CorporationSystem.Private.CoreLib.dllMD5=BD42384077787FB221C9F703FBB8BB88,SHA256=7A2279CD7D0507ADCB206269BF0FE2E69F1059EBE5976F7413B76B769C75D531,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000093578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000093577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000093576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000093575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000093574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000093573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.688{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000093572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.687{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000093571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.687{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000093570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.687{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000093569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.686{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000093568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.686{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000093567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.686{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000093566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.685{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000093565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.685{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.685{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000093563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.684{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.684{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000093561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.683{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000093560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.682{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000093559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.682{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.682{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000093557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.682{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.681{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.681{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.666{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000093553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.666{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000093552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.538{F172AD64-79B2-63C6-8B02-00000000B002}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000093551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.650{F172AD64-6CE8-63C6-1000-00000000B002}3566744C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.650{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.650{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 11241100x800000000000000093548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.650{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,runtime.win-x64.Microsoft.NETCore.DotNetHostPolicy,5.0.02023-01-17 10:34:26.650 11241100x800000000000000093547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.650{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,runtime.win-x64.Microsoft.NETCore.DotNetHostPolicy2023-01-17 10:34:26.650 734700x800000000000000093546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.534{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\coreclr.dll5,0,20,51904 @Commit: cf258a14b70ad9069470a108f13765e0e5988f51Microsoft .NET RuntimeMicrosoft® .NETMicrosoft CorporationCoreCLR.dllMD5=27D49DE876ADC48752954F64F5DB9DA4,SHA256=F31D2089328DB88FFD561F56DB944CAE79647478E2B72BE201D95607B8AE1666,IMPHASH=A005227D6892AC48968A76CB4731CAF8trueMicrosoft CorporationValid 11241100x800000000000000093545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.534{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.534{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C1A3DCC08E41F3328D3A3ADEAA6BD3,SHA256=E293FBCC961949AC54BD505917600D219716E7E112F6760D539A10E1C9709C5E,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000093543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:34:26.534{F172AD64-79B2-63C6-8A02-00000000B002}6208\dotnet-diagnostic-6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe 11241100x800000000000000093542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.534{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.534{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A089CA9CB420CA04E6CBBDF70BA6A7E,SHA256=310042A2E43FE28AC4E3D20E5426D92205EDE93F48945B53E0D39F8F570D78A3,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.534{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000093539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.534{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000093538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.534{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000093537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.450{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hostpolicy.dll5,0,20,51904 @Commit: cf258a14b70ad9069470a108f13765e0e5988f51.NET Host Policy - 5.0.0Microsoft® .NET FrameworkMicrosoft Corporation.NET Host Policy - 5.0.0MD5=AF83B14C9628F161C980F69F7AE7B2BE,SHA256=FB249FED957EE658BFC20DBE18D1810AED29CD0B626374D147DA5891A24B1B52,IMPHASH=DF1918075DFE759AF5106401A1D06A4EtrueMicrosoft CorporationValid 734700x800000000000000093536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.450{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\hostfxr.dll5,0,20,51904 @Commit: cf258a14b70ad9069470a108f13765e0e5988f51.NET Host Resolver - 5.0.0Microsoft® .NET FrameworkMicrosoft Corporation.NET Host Resolver - 5.0.0MD5=FA1BA429770BC8B64CE65511F29FF88F,SHA256=48D9968DB0001585B27C46C96D47952E86A42540B236A7D6877E8C67B7FA79A1,IMPHASH=EBD06F3175E856B542245E07CE312839trueMicrosoft CorporationValid 734700x800000000000000093535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x800000000000000093534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x800000000000000093533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000093532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000093531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000093530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000093529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000093528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000093527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000093526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000093525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000093524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000093523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000093522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe6.1.8.0dnSpydnSpydnSpydnSpy.dllMD5=5CF180FEC9628C4DF4267DE3ED7A98A7,SHA256=BC1C4E0FC49C138BBFC223D3E94231CD4884439C663646D91E48FA005DF6704A,IMPHASH=EA4DD374D22E48FDCFFCC7AD5E323053false-Unavailable 734700x800000000000000093521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000093520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000093519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000093518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000093517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000093516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000093515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000093514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000093513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000093511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000093510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000093509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000093508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDBSetValue2023-01-17 10:34:26.434{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeBinary Data 10341000x800000000000000093507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-6CE8-63C6-1300-00000000B002}6802916C:\Windows\System32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-6CE8-63C6-1300-00000000B002}6802916C:\Windows\System32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.434{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.419{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.419{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.419{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.419{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000093500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.419{F172AD64-7634-63C6-B901-00000000B002}49007068C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000093499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.431{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe6.1.8.0dnSpydnSpydnSpydnSpy.dll"C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe" C:\Users\Administrator\Downloads\dnSpy-net-win64\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=5CF180FEC9628C4DF4267DE3ED7A98A7,SHA256=BC1C4E0FC49C138BBFC223D3E94231CD4884439C663646D91E48FA005DF6704A,IMPHASH=EA4DD374D22E48FDCFFCC7AD5E323053{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 11241100x800000000000000093498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.165{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico2023-01-17 10:34:26.165 11241100x800000000000000093497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.165{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\z+m4bc7csnvEvmcDSOFrLA==.ico2023-01-17 10:34:26.165 11241100x800000000000000093496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.165{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\aQpAv+OzlVN3CsmxSn2KDQ==.ico2023-01-17 10:34:26.165 11241100x800000000000000093495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.165{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\I4hsjfEEsafz_9rilYFS6w==.ico2023-01-17 10:34:26.165 11241100x800000000000000093494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.165{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache2023-01-17 10:34:26.165 10341000x800000000000000093493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.165{F172AD64-7634-63C6-B901-00000000B002}49004560C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E22B3998)|UNKNOWN(FFFF8AA9E22B3B17)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000093492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.165{F172AD64-7634-63C6-B901-00000000B002}49004560C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E22B3998)|UNKNOWN(FFFF8AA9E22B3B17)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000093491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.165{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IN2YBM0E3X22Y872GP6P.temp2023-01-17 10:34:26.165 734700x800000000000000093490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.134{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x800000000000000093489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.134{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntshrui.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=625A0F3F48DE1F73FEBBC651E5812680,SHA256=FC44D9A2C46C7AEAEDE050ECC2C6F7AF43D34CF97138C40B9D4C3377D032FC21,IMPHASH=AC4154F2DB854AC5F42815BCE5C34155trueMicrosoft WindowsValid 10341000x800000000000000093488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.150{F172AD64-7634-63C6-B901-00000000B002}49004560C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E22B3998)|UNKNOWN(FFFF8AA9E22B3B17)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000093487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.150{F172AD64-7634-63C6-B901-00000000B002}49004560C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E22B3998)|UNKNOWN(FFFF8AA9E22B3B17)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000093486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.150{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WFFEIG4IIMBA3T2ST24P.temp2023-01-17 10:34:26.150 23542300x800000000000000069565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:27.222{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FEC9D69DB97C7A0FAE3B7ED8596F10,SHA256=610E0C7928C4944AAA788A6D4441559A913DC378980B53460367519B6125747C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.664{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.661{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755E96818B74B72B9B68684C9C6E2092,SHA256=4CDFE4AE695A898E9688F0187A1C2992A228C76A5E70BE2585FBAD3D85AAD065,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.546{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.Aero.dll5.0.20.52003PresentationFramework.AeroPresentationFramework.AeroMicrosoft CorporationPresentationFramework.Aero.dllMD5=841F3BACAB3F65D8FA0BC235F632FF0F,SHA256=14628682987C813467085A3FAF747B47B96B1A5D5AA930ED5894CC4FAFBF9725,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.514{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Serialization.Formatters.dll5.0.20.51904System.Runtime.Serialization.FormattersMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Serialization.Formatters.dllMD5=B99D13C1A2EE563636B7A73520A50E25,SHA256=D224BD8B1BD73BEBCA7AFDFD7299238A6A976CC10875DA40A8D8B3649971CF98,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.502{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Drawing.Primitives.dll5.0.20.51904System.Drawing.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Drawing.Primitives.dllMD5=05540E9DB2363BA49FD1F67FB5F772C3,SHA256=CB37A6EC2AADF0F7A3318252FFECFE26EB1AE52298D48C21066B5A1B99966782,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.500{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.dll5.0.20.51904SystemMicrosoft® .NETMicrosoft CorporationSystem.dllMD5=95B3ED3EDC4D367A5195E01AA17CBF99,SHA256=9F3C3B2342F951CB32425E4CCB587A5E108BFF87E868932284991DD2F907C624,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.499{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Process.dll5.0.20.51904System.Diagnostics.ProcessMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Process.dllMD5=81BBF7AD5FE0A623D74436FF0078F0A4,SHA256=283746B8D512635353013684B675A7FB881AD96CF3DECAB50FD2A5D16F1D61BC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.494{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Forms.dll5.0.20.52001System.Windows.FormsMicrosoft® .NETMicrosoft CorporationSystem.Windows.Forms.dllMD5=9BF7D9613B4BA6BAD606BB406D278714,SHA256=0B5C7FAA3366FC470E2147B508B1875186D08E73A404FB7946F26158F34B78C5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000093679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.576{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.517{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x800000000000000093677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.373{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Globalization.dll5.0.20.51904System.GlobalizationMicrosoft® .NETMicrosoft CorporationSystem.Globalization.dllMD5=4814C845A5DA966954AB13B1CCB2D54C,SHA256=1AA9E7C6F4F9EABCDCA0E3FD581E58C40A76F2656B35BC489C39752B8769626E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.362{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Tasks.dll5.0.20.51904System.Threading.TasksMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.dllMD5=9AC3074133DB812E36412B909E498D5E,SHA256=2DB96F7BA231942D9241217FBA58701EFE8A3114E83D2EB6A02F5B0A520AF49C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.361{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.Encoding.dll5.0.20.51904System.Text.EncodingMicrosoft® .NETMicrosoft CorporationSystem.Text.Encoding.dllMD5=8C62514D94A6E08ABF78AAF7A473B83A,SHA256=BFE64C37AFC71098099D4A2244985D490684021A83C60CFCAC92FCE224B15832,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.337{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Tasks.Dataflow.dll5.0.20.51904System.Threading.Tasks.DataflowMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.Dataflow.dllMD5=4382CD62A33F70ED87F871AAB418E611,SHA256=A6D798249BED92E43B3333E1059CC8E8F340C823958ED2FB644E401A4EE7647C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.329{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.Immutable.dll5.0.20.51904System.Collections.ImmutableMicrosoft® .NETMicrosoft CorporationSystem.Collections.Immutable.dllMD5=B0AE95B09725C166B6F951129E9ECDFB,SHA256=337EAB5E82BD5B2236253701562C06E8600EC6A90DBE749A3FBA009F8336F362,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.322{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Scripting.Roslyn.x.dll6.1.8.0dnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.x.dllMD5=E251CCCB136DC7E56DCEC8B7E238CC75,SHA256=3150088BEF62C04BC273F10665C5317CDE1694D6D4729BDE0AFCBD6D8FAEED94,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.321{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.x.dll6.1.8.0dnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.x.dllMD5=4BEBA9FE9171BB89F878DEED1185BCF4,SHA256=5776EEDDC5D1941D6EE9FF5905F3D9AC49657D4E4C052635226CE562039E5CDB,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.319{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.WebHeaderCollection.dll5.0.20.51904System.Net.WebHeaderCollectionMicrosoft® .NETMicrosoft CorporationSystem.Net.WebHeaderCollection.dllMD5=FC1E34270BFAF25DDA1E78C320A0D151,SHA256=0D91F682250134BF531BEED2ED0A364E7328E32E36F6AC255E19826557BE2189,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.318{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.x.dll6.1.8.0dnSpy.Debugger.xdnSpy.Debugger.xdnSpy.Debugger.xdnSpy.Debugger.x.dllMD5=7E2E8EB9091241BAFCAF05425D9AC403,SHA256=A035CE217AA7FCD2F71224E1E86F090B833374A21E9EAC7E66BE7DAE7190DCE8,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.304{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Primitives.dll5.0.20.51904System.Net.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Net.Primitives.dllMD5=154C859876D4D303D0D284C45CDA82D7,SHA256=786B59C37AACB22EC69799A803A9ED296A198CDCEC259B3820D9CC03BA3D683A,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.301{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.Requests.dll5.0.20.51904System.Net.RequestsMicrosoft® .NETMicrosoft CorporationSystem.Net.Requests.dllMD5=C9A807295F3C8B1903F30950ABBDAF8B,SHA256=7E3BDD7E5991F84E832FDBEF7F5618725C0806D2E5653252FB4267C76E7EA2C5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.397{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.397{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA75BD2F6AC957AFD35A66910113E79,SHA256=5E81819DCB4CCF38F71E2F4AB0A18B5DD6AB854DD58492205539BD6513C99593,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.298{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.x.dll6.1.8.0dnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.x.dllMD5=E9508FCFDBE3C732D7972392361025D5,SHA256=87A0896B818DE9D9EB76F146ADB31689C530D380CE80CF4E1EF4A977F46D576D,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.293{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Mono.x.dll6.1.8.0dnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.x.dllMD5=8ED65F8B4D85E11D172E5856BAD67E43,SHA256=02FF899E669E1B74611FE9D1FD8A8ABAB9B80364522F772A962AEFB32342DBB5,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.290{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.CorDebug.x.dll6.1.8.0dnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.x.dllMD5=DDCE67B0B140AC742ABE6604D7ADDC45,SHA256=3E80049D2AD93C8551E472C70EC6BD873D9434C618C25C53626AA32EF350AF6F,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.285{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.BamlDecompiler.x.dll6.1.8.0dnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.x.dllMD5=4F90A3DD3621D484D4835EFCEDF13CBA,SHA256=D1E8229FC04C433DDB42E37AB01E8B92A6E381ABFFBCEF0753B7DFD4DA2D69D6,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.280{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ObjectModel.dll5.0.20.51904System.ObjectModelMicrosoft® .NETMicrosoft CorporationSystem.ObjectModel.dllMD5=57CE68F64C52CF6EFB617B481DC528DA,SHA256=D30322B4ABEDE35857EF04B68D56C892FE770F47A1EA72CD2289EBC04FE12A68,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.279{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.AsmEditor.x.dll6.1.8.0dnSpy.AsmEditor.xdnSpy.AsmEditor.xdnSpy.AsmEditor.xdnSpy.AsmEditor.x.dllMD5=DB9F694BBE86911BD18454E3F99DB38A,SHA256=BF1BA7C86F3682ABBDF08449C6429F3F04A8CC8CD7612CD01430DB44665D94DE,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.253{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.Concurrent.dll5.0.20.51904System.Collections.ConcurrentMicrosoft® .NETMicrosoft CorporationSystem.Collections.Concurrent.dllMD5=4B1FC8E3A3E01A9A353AA762B02E1B87,SHA256=604EF22A3C6290F62F434F134E75774A54BDB33ADAAB0A879865CAD1E61AE7F6,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.251{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Analyzer.x.dll6.1.8.0dnSpy.Analyzer.xdnSpy.Analyzer.xdnSpy.Analyzer.xdnSpy.Analyzer.x.dllMD5=B2A5E4618D8B333EA5CE0BECFBF808A3,SHA256=5BF8BAFA99AD97A53BB5AC3B639C6F41243C37D284EC22E1BE56F2CA1FEB6CB9,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x800000000000000093656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.247{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.dll5.0.20.51904System.ComponentModelMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.dllMD5=1F1E404FA9CA3EA9797BD730B7FC78C0,SHA256=32B2C2570C120F68E3EF63AFB4388A3F6156C7160F7DF7A67F8878E7E60EB380,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.245{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Extensions.dll5.0.20.51904System.Windows.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Windows.Extensions.dllMD5=541CCB7E1E7E776160E2924893406CE6,SHA256=4464604FE17B423C25C77724A9868A807C80A309B08CE7403DCF8EBB0FA748BC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.243{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.Xml.Linq.dll5.0.20.51904System.Private.Xml.LinqMicrosoft® .NETMicrosoft CorporationSystem.Private.Xml.Linq.dllMD5=D5CFE742830063B8B5EBBF42EA6B5975,SHA256=520A8630EFDC87A74534F8706660BDE6480E942CF298D21C60720919A9CEB0D0,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.236{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.XDocument.dll5.0.20.51904System.Xml.XDocumentMicrosoft® .NETMicrosoft CorporationSystem.Xml.XDocument.dllMD5=D970AD6EA1D7DB0B7AB49A8B13084527,SHA256=9A8DB4B5FD4E4B495EF60DA1D6C507730FDEB27F995DD8BCE4EB4E02C4486699,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.235{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.TypeConverter.dll5.0.20.51904System.ComponentModel.TypeConverterMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.TypeConverter.dllMD5=D2EB7A92C17AF7814C32BC31903DB59D,SHA256=F69474CF74B4DCEA38B0EC8FF2449046B947FB2CAB88037C887ECD4E0AEDF174,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.224{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.TraceSource.dll5.0.20.51904System.Diagnostics.TraceSourceMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.TraceSource.dllMD5=A51D78AA21A9D7BA5EC52C9BEBAF115D,SHA256=BA5109853BB46EAC4F992DA600C0B5031491122D292A19E1AE8FD457F50EF9E8,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.217{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.ThreadPool.dll5.0.20.51904System.Threading.ThreadPoolMicrosoft® .NETMicrosoft CorporationSystem.Threading.ThreadPool.dllMD5=98D6F7B79F3D10E837B5ADE942F9CBCB,SHA256=59229333A18005A8B364C9D0A47EF164C045BC86B6DA15B6B3D5DFD1B1E4461C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.199{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Packaging.dll5.0.20.51904System.IO.PackagingMicrosoft® .NETMicrosoft CorporationSystem.IO.Packaging.dllMD5=FF6679C1CF6E9927C2F52AAE920F3643,SHA256=FA7FE1A4F31B2A8F3A1694D6DEA51AFE224640B182288B40A51765EB03FD7EC5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.191{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Loader.dll5.0.20.51904System.Runtime.LoaderMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Loader.dllMD5=11028A0EF7403ABE86882F5372556C18,SHA256=194911107261E5A3CD3B9A4F0E61FE2AAC5E905ED3F9C57BC773B25A0FDDFA7B,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.181{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Linq.dll5.0.20.51904System.LinqMicrosoft® .NETMicrosoft CorporationSystem.Linq.dllMD5=2169CB43EB737E37A8138DD91C11837B,SHA256=D7E046CACEC0574713D74C79B85A7630E139D5233D9C087AA9FDEDE053C2CBB7,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.175{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.Win32.Registry.dll5.0.20.51904Microsoft.Win32.RegistryMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.Registry.dllMD5=367AED8921A059B07D89584A10150465,SHA256=06AD62B26DB912179971F2DD6F672B583A958AF8A71DC8E1D71564DB1D87B40F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.166{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.Encoding.Extensions.dll5.0.20.51904System.Text.Encoding.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Text.Encoding.Extensions.dllMD5=ACB9D1C51F8C89ED44DB353DBB308443,SHA256=1A9EE9F297CDFDABBC0753F4C253FFC9C04E9B722FF1AD8C9C34BC37095649AC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.164{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Algorithms.dll5.0.20.51904System.Security.Cryptography.AlgorithmsMicrosoft® .NETMicrosoft CorporationSystem.Security.Cryptography.Algorithms.dllMD5=873DCC8981A29665A6A79611DC84DABF,SHA256=71127121F97A18ECB3974FA3905C45656D8FEC6465D63C6E654EC50CED9CC5B5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.153{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Net.WebClient.dll5.0.20.51904System.Net.WebClientMicrosoft® .NETMicrosoft CorporationSystem.Net.WebClient.dllMD5=75623FA71B5D179C4DD0498F1A1D7591,SHA256=16A4720F3A3D5A4D0F4053BDC63FB0498C91938ADDCBCA41A07EB3F744A01D7D,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.147{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.Xml.dll5.0.20.51904System.Private.XmlMicrosoft® .NETMicrosoft CorporationSystem.Private.Xml.dllMD5=9C123C694F99779A286D988B33306CA8,SHA256=CB24643937C9575AF9B00DDC166B6BAF7E89DC2AD8FCC6F38C7C89CAB7C7D9C7,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.228{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\CASESENSITIVETEST51f3d670b16a488db90da71ef9d2d8fa2023-01-17 10:34:27.228 734700x800000000000000093640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.072{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.ReaderWriter.dll5.0.20.51904System.Xml.ReaderWriterMicrosoft® .NETMicrosoft CorporationSystem.Xml.ReaderWriter.dllMD5=9D4B9EA8A85B760EBAE0EFEAFE786CAE,SHA256=6DC71094E16B389A21ADEAA031A22E191864CFFC3CB74BFB947A570941B7603C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.177{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000093638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.067{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Private.Uri.dll5.0.20.51904System.Private.UriMicrosoft® .NETMicrosoft CorporationSystem.Private.Uri.dllMD5=86282DBCB7B8C7A591EBB6693B4F5162,SHA256=D957B8A567980DD94B2957A4B1E5E412140B8A5152C600EFF367CBF039538871,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.059{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.Specialized.dll5.0.20.51904System.Collections.SpecializedMicrosoft® .NETMicrosoft CorporationSystem.Collections.Specialized.dllMD5=1F0809A6206738D38C91FA9ACAC0BD70,SHA256=5CC4B3C79DBAAEEC09B4E9A5DB4980F291BA2969BE7B47264AD165DA39A6D0B7,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.056{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Configuration.ConfigurationManager.dll5.0.20.51904System.Configuration.ConfigurationManagerMicrosoft® .NETMicrosoft CorporationSystem.Configuration.ConfigurationManager.dllMD5=868F46E042390E5F8815C29D470996A2,SHA256=C928CE6DB67759FC6F16F777A4DC7BC7080D2AD6A82BA3A436536E2EB90BF290,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.044{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationNative_cor3.dll5,0,20,51202 @Commit: ed62575cb0a325b9028eddc675a05045762ec24cPresentationNativeMicrosoft® .NET Framework-PresentationNativeMD5=12348E9B2DA243BA759AB906C6255B83,SHA256=06B419E54FCD90B0E6CD7DC31F952B2F7E1F185D83089FAE73444D6F22B1EECB,IMPHASH=9043F505CF2D34C0195523A9EDC609F4trueMicrosoft CorporationValid 734700x800000000000000093634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.019{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Thread.dll5.0.20.51904System.Threading.ThreadMicrosoft® .NETMicrosoft CorporationSystem.Threading.Thread.dllMD5=472EFA789AFE9644A7A291F6FC25CBFC,SHA256=56174D679200F3BBC04CB1F3EFE3DEC7BA2976B65BEA0CF96778C4634F94D66B,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.017{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.Primitives.dll5.0.20.51904System.ComponentModel.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.Primitives.dllMD5=6D36049BAA98212D4ACB1511CFDCC6A4,SHA256=6F3751BB28CB82BC0FE1015D35B52DDF0CE05D4F77756207632E43577DD6728F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.015{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\UIAutomationTypes.dll5.0.20.52003UIAutomationTypesUIAutomationTypesMicrosoft CorporationUIAutomationTypes.dllMD5=490EEAB78011668CBC4020543B7957C9,SHA256=9902D460A5A49DAFB857FFEE9F19A6EF3F8C13690AB3880225FF1AFFB5E48EB3,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.009{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Memory.dll5.0.20.51904System.MemoryMicrosoft® .NETMicrosoft CorporationSystem.Memory.dllMD5=484870F7A0D28AC2FA5EA5927A59B5DC,SHA256=2578B594028C14BC491D165584F4977B45DFA0D7D3997A6B735E803E28A2EE33,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.006{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Collections.dll5.0.20.51904System.CollectionsMicrosoft® .NETMicrosoft CorporationSystem.Collections.dllMD5=CF0A843A494592780FECE8896602935D,SHA256=6213C22B8C26248D9544CBEA1192A3A8AA5885B413C8F8DC23B5682BA7B9F65F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.994{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xaml.dll5.0.20.52003System.XamlSystem.XamlMicrosoft CorporationSystem.Xaml.dllMD5=F386627EF52DF8ECA240BAA08A81D636,SHA256=5DEA099473CD33C318AD2794541DEF1CDEA55163BA71E8308AA92D398894D40C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:26.977{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.dll5.0.20.52003PresentationFrameworkPresentationFrameworkMicrosoft CorporationPresentationFramework.dllMD5=BF7EB047BA48D932A1D0702EB1AA69BE,SHA256=EEF58BA8DBAC8F889AAF29A5FE90D5BF910A677386621C8AD24F58372EC83A1C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.068{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x800000000000000093626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.016{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000093625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.016{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000093624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.016{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000069564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:24.185{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50361-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000093623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.011{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net2023-01-17 10:34:27.011 11241100x800000000000000093622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:27.011{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup642023-01-17 10:34:27.011 23542300x800000000000000069566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:28.320{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4036D01E2252ED8FD18AE5A67FF87D,SHA256=2210819CC26A2E54FA75BF2F3707A8EFEA46A05275E886F81E13B3E07062AA76,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.971{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Emit.dll5.0.20.51904System.Reflection.EmitMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.dllMD5=C49FBBC522F8DACD9164FE4F4EF712DE,SHA256=6A11B4FD376C10F7F3C01C2BF1DB4FF6CFF752FA37478DBD76B9B12F644971E1,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.961{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\D3DCompiler_47_cor3.dll10.0.19041.1 (WinBuild.160101.0800)Direct3D HLSL Compiler for RedistributionMicrosoft® Windows® Operating SystemMicrosoft Corporationd3dcompiler_47.dllMD5=7641E39B7DA4077084D2AFE7C31032E0,SHA256=44422E6936DC72B7AC5ED16BB8BCAE164B7554513E52EFB66A3E942CEC328A47,IMPHASH=36F6D7806085BD3A70ED8C5DCB51F6C8trueMicrosoft CorporationValid 734700x800000000000000093722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.925{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\wpfgfx_cor3.dll5,0,20,52003 @Commit: 9e81b0885121e9958e48895ae48be9639a396528wpfgfxMicrosoft® .NET Framework-wpfgfxMD5=DD8B9A4EA48102503256DEAD34E103B5,SHA256=DD7AECE6AEE0B3A4D28C135519644F56FDF3A64220EC8D3C76C2274C361CE93A,IMPHASH=6002A9F27951D78A626106F4A55423ACtrueMicrosoft CorporationValid 734700x800000000000000093721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.900{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ComponentModel.EventBasedAsync.dll5.0.20.51904System.ComponentModel.EventBasedAsyncMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.EventBasedAsync.dllMD5=577CBF5301927D3A15F325C283CF4628,SHA256=BE2A1774AD11E69413DC0678CD3FA1B489B198592F3351FE56BDB8F71DDA9925,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.826{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.Win32.SystemEvents.dll5.0.20.51904Microsoft.Win32.SystemEventsMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.SystemEvents.dllMD5=AE84265DB0D22A51E728FC6A34465FDE,SHA256=432323E752D9029B64F55832ED80DDBF6F34D1F01AAFDBB86CD92C4ABDF2C795,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.728{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net\dnSpy-mef-info.bin2023-01-17 10:34:28.728 11241100x800000000000000093718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.680{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.680{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6211EA1351989FB1CEE04ECCC9AF80,SHA256=45ADD3FC540949EF80D5C9857F9E30053CBCD74C62A37ABE93261BEC75E16030,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:25.326{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49598-false10.0.1.12-8000- 23542300x800000000000000093715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.470{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-052MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.468{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0522023-01-17 10:34:28.468 11241100x800000000000000093713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.467{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0532023-01-17 10:34:28.467 10341000x800000000000000093712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.381{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000093711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.381{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000093710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.380{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000093709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.053{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.052{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.051{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.050{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.050{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.048{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.046{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.046{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.045{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.044{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.041{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.040{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.037{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.035{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.033{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.025{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.022{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.020{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.019{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.016{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.002{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.001{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 23542300x800000000000000069567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:29.615{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F897B2BAC4C493A235ED21D9AFBBDE,SHA256=9CF0B1EDA528E71CCAC6A57755F7F6032DBE7E5574A6716729581E9896C86914,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.932{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Compression.dll5.0.20.51904System.IO.CompressionMicrosoft® .NETMicrosoft CorporationSystem.IO.Compression.dllMD5=32270CD02BDEF9A69510AA6F89742C33,SHA256=D71622E1CA19E25615EA487A68B96CD4D806253B6FE541C2ED3B9AC797E1E6F2,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000093784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.844{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.844{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.844{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.838{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.835{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.832{F172AD64-7634-63C6-B901-00000000B002}49005544C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.832{F172AD64-7634-63C6-B901-00000000B002}49005544C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.831{F172AD64-7634-63C6-B901-00000000B002}49005544C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.831{F172AD64-7634-63C6-B901-00000000B002}49005544C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.831{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.830{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.830{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.830{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.791{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Text.RegularExpressions.dll5.0.20.51904System.Text.RegularExpressionsMicrosoft® .NETMicrosoft CorporationSystem.Text.RegularExpressions.dllMD5=843D46D8E3F808AA4B9A43C19A43AA22,SHA256=C510ADAAA89E3A43AB53E186DF8125EE7118FE9CB2C817652EB1FD8BF491AA55,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.728{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000093769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.728{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000093768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.728{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000093767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.728{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000093766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.712{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Forms.Primitives.dll5.0.20.52001System.Windows.Forms.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Windows.Forms.Primitives.dllMD5=96698C216DBF79EB13A6584904D669DA,SHA256=F306AA6921CB28E127B205883BC53FD2984986AD9B4EF7F7E7A3B3696450821A,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.712{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.712{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674882351EB55DE9AFE3F265B60D4356,SHA256=D7D4FE0F56AF828EBF2A926CD20C06AE9C8B3AE207E9C846EC9498D3DFE26318,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.630{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Xml.Linq.dll5.0.20.51904System.Xml.LinqMicrosoft® .NETMicrosoft CorporationSystem.Xml.Linq.dllMD5=2A798365A28127B0A7495350BA58B9BA,SHA256=67E9CCB81426AFD9F0CFC269C059959A3270F120D54BAD21469BC29369F893F5,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.630{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework-SystemXmlLinq.dll5.0.20.52003PresentationFramework-SystemXmlLinqPresentationFramework-SystemXmlLinqMicrosoft CorporationPresentationFramework-SystemXmlLinq.dllMD5=94D6F3D618CE0D38F93C831914B39BA0,SHA256=74FBA389F682185471298636CA19D81FF65BC848DFDE53ACD3930B3E2BEF725D,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000093761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.585{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.570{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.570{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Windows.Controls.Ribbon.dll5.0.20.52003System.Windows.Controls.RibbonSystem.Windows.Controls.RibbonMicrosoft CorporationSystem.Windows.Controls.Ribbon.dllMD5=B30163C13DF0D078F7A7A1B03F5BADE6,SHA256=617C50BAD51BECA203140E1519633E69FB8F2BD3A18721393E1D1ADA3449F8A1,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.552{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\WindowsFormsIntegration.dll5.0.20.52003WindowsFormsIntegrationWindowsFormsIntegrationMicrosoft CorporationWindowsFormsIntegration.dllMD5=0C3DB712E8E5298C3477400581B522DF,SHA256=DDC5E9D01BF8ACF30381B1D2FFAD63B67C85FE46B2A17E20891B82660B35828C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.528{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x800000000000000093756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.528{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x800000000000000093755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.513{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x800000000000000093754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.513{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x800000000000000093753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.499{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x800000000000000093752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.499{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000093751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.484{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x800000000000000093750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.484{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.484{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.484{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 10341000x800000000000000093747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.484{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.484{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000093745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.482{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.384{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000093743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.384{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FF,IMPHASH=6691D3D33C2662107A11540A5A994674trueMicrosoft WindowsValid 734700x800000000000000093742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.367{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework-SystemXml.dll5.0.20.52003PresentationFramework-SystemXmlPresentationFramework-SystemXmlMicrosoft CorporationPresentationFramework-SystemXml.dllMD5=83EB3830AB546A7886896CDD329B3807,SHA256=4DBC290FBD41EE00C63E30B054AF5287342EDD54935A6EE60D9F639001E7A2B4,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.312{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Claims.dll5.0.20.51904System.Security.ClaimsMicrosoft® .NETMicrosoft CorporationSystem.Security.Claims.dllMD5=620334BBFEEDFBD99B63AA3463448A01,SHA256=6B8DF3081A329C432D72334DA1C388D5E8B7A50A6E0B3B4F9AC2B33CDF44221C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.312{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Principal.Windows.dll5.0.20.51904System.Security.Principal.WindowsMicrosoft® .NETMicrosoft CorporationSystem.Security.Principal.Windows.dllMD5=F2F2A65996E59A9F4CB88A185E8783B2,SHA256=67906118A624EBC8760902CFF29007DE542C1413BEDC0C0FC35EA9FB6061AB1F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.296{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 734700x800000000000000093738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.281{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000093737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.281{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000093736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.281{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000093735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.281{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x800000000000000093734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.243{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Drawing.Common.dll5.0.20.51904System.Drawing.CommonMicrosoft® .NETMicrosoft CorporationSystem.Drawing.Common.dllMD5=44E15B8FE6758868B6EE9A9539784868,SHA256=2BF4207E9CEE8EAFA27046E6480AB92781D794C08A4C468C4E06CAC94DEC506B,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.233{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Resources.ResourceManager.dll5.0.20.51904System.Resources.ResourceManagerMicrosoft® .NETMicrosoft CorporationSystem.Resources.ResourceManager.dllMD5=0CC3BA354ADB920830E67DC63F39E94A,SHA256=09272CCACAFFDE0EDCE84B226BC5ED44A8D67A79428285070570FBB4A8A09249,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.207{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\PresentationFramework.Aero2.dll5.0.20.52003PresentationFramework.Aero2PresentationFramework.Aero2Microsoft CorporationPresentationFramework.Aero2.dllMD5=AD5C59EDCC25ABE7228087743C4BF924,SHA256=E197B626ADC0919F58FA7124A17A56872473895BFB8AC46C7ADB1FF72531ADB2,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.194{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x800000000000000093730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.172{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\d3d9.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Direct3D 9 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D9.dllMD5=98326410B37312F3A57E8040250BDC32,SHA256=ADDEE549568ABA1E45C6868D76162F5DE6E58CBD83C43429EA0F9868ECA3DC42,IMPHASH=A3F81B60CD48F233C949F2E60B5C9AD4trueMicrosoft WindowsValid 734700x800000000000000093729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.106{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\UIAutomationProvider.dll5.0.20.52003UIAutomationProviderUIAutomationProviderMicrosoft CorporationUIAutomationProvider.dllMD5=3BADB651BD33EE42DC624B722B1ABC11,SHA256=C9A8676917E8C8248FA89435AFEFAEA4B20209A3423590EED92E98A1B4EFA818,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:29.018{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Core.dll5.0.20.51904System.CoreMicrosoft® .NETMicrosoft CorporationSystem.Core.dllMD5=3A9FA22C5FE344AEBAD4A244D99F6B54,SHA256=AF9C6D159508EFF94BE2D7B3096FA08C20B0E69252EDA901E319C9F145B2AA6D,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000093727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.991{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.974{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Primitives.dll5.0.20.51904System.Reflection.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Primitives.dllMD5=14D2B29081932089F227C37034A75F55,SHA256=1C7D5BFC57958A3D5C77F0FAED78A61B3A7756D6DAB5FC65F75E2E41F87AFDE7,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:28.973{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Emit.ILGeneration.dll5.0.20.51904System.Reflection.Emit.ILGenerationMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.ILGeneration.dllMD5=4ACCD1A919052887EE4F850A4302CF83,SHA256=071E64C30ECE708367E445C6C7E05A2D0EC3494ECF82197F3B694896C081D445,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 23542300x800000000000000069568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:30.714{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9CD96D49FD25903500F0D591674175,SHA256=9F608056B47F2D394C84668A81518981754B57484F9BCEA19F1AE24D2552D174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.999{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.997{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.991{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.989{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.974{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.968{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.967{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.965{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.963{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.961{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.960{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.960{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.959{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.946{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.937{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.935{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 734700x800000000000000093818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.907{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.Tools.dll5.0.20.51904System.Diagnostics.ToolsMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Tools.dllMD5=AFBF6251C76864824EA70877F6EE3022,SHA256=0E2D797DA03734337D03682C9C61F7EB021AC5A0758E4044B9F0111E2189A7E4,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000093817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.907{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.902{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 734700x800000000000000093815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.897{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Extensions.dll5.0.20.51904System.Reflection.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Extensions.dllMD5=505B2B85380A0D2495F05DEBD87E6755,SHA256=34B353D574A6660943935EED616CDF4AD0394EC293B33151ECFBD76AEBA0E0A3,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000093814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.891{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.887{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.885{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.883{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.881{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.879{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.877{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.876{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.874{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.873{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 734700x800000000000000093804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.852{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Tasks.Extensions.dll5.0.20.51904System.Threading.Tasks.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.Extensions.dllMD5=33544A813A9B88EF8BE16B004388626E,SHA256=54256ED2494C4AE76085B23856219A6AE9503EF31ED6491FE2C6F26DCA6C8F7A,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 23542300x800000000000000093803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.846{F172AD64-79B2-63C6-8A02-00000000B002}6208ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\WPF\2ry4hiuo.sa3MD5=825AB5E8C725411B8B9C319BDCC8EA4E,SHA256=2E3A2C34CC9728CB3C1915E1C778FD0D63D46AC8E238C90726C96E4A31042357,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.841{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.ValueTuple.dll5.0.20.51904System.ValueTupleMicrosoft® .NETMicrosoft CorporationSystem.ValueTuple.dllMD5=630EE796A6E81E5BAAB41925351FB8E6,SHA256=64ADFEEA752E777AD670358AD2A2F6059454A05D79374BF241E2AE41EAB6C9F3,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.844{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\WPF\2ry4hiuo.sa32023-01-17 10:34:30.844 734700x800000000000000093800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.792{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.dll5.0.20.51904System.ReflectionMicrosoft® .NETMicrosoft CorporationSystem.Reflection.dllMD5=9F91F399881CB55B607E3D08FFDA50A6,SHA256=1D976BD523EE4753CA8E29F681EFF7089532EC9700E8C359BD08000DB47728A4,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.781{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Metadata.dll5.0.20.51904System.Reflection.MetadataMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Metadata.dllMD5=5CB5C86881FD52A60DD055975E65CB0E,SHA256=429D85FD988E67945728C9CE79826F975224A0A44DA5C7D50E8569DC9BD8FF9D,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.772{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.dll5.0.20.51904System.IOMicrosoft® .NETMicrosoft CorporationSystem.IO.dllMD5=E3FBF4B24A22C328A5092DBF9C4D4B3A,SHA256=8278C54E61A70D8B35211D98A3DB08EA9DDE0F955125572B83251A5B41341CDC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.768{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net\startup.profile2023-01-17 10:34:30.767 11241100x800000000000000093796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.752{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.752{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2061B3FBD1C959472B1816851406CF68,SHA256=AF645583A8525AAE22B7C5A21E0B53CB8DBCD6726C9DAAAF4080F048B4EA507D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.694{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\msctfui.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)MSCTFUI Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTFUI.DLLMD5=EB263F8DA9374DFDB586C2C2ADE878F0,SHA256=33AD138029349BE8788267E1615398F60E5E97DB19710E31510735EC1F750AEC,IMPHASH=A4ED68636CED089826925690ADE59E63trueMicrosoft WindowsValid 734700x800000000000000093793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.489{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Reflection.Emit.Lightweight.dll5.0.20.51904System.Reflection.Emit.LightweightMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.Lightweight.dllMD5=F3597DBEA77964BC53F6B0AE261DE7A4,SHA256=0138641097AFF952DB380DF1CB30CCC406DE197D22B4BF9D1E838B57C293C88B,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.447{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Security.Cryptography.Primitives.dll5.0.20.51904System.Security.Cryptography.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Security.Cryptography.Primitives.dllMD5=50BB53A879C61779155FE84EFA7277FE,SHA256=9CC7B60DCF12C6C2509390320A5F4620E386D9DA97DB5F88408554FD4FB40220,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000093791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.370{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.369{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.087{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.084{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.079{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.068{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 11241100x800000000000000093847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.787{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.787{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A5F9B301215C99BDCC93FD9EAE054A,SHA256=39CC6202F31FFADFA2C7C9FA39063345719B5E503F3A3186D06226F7CBEEDA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:31.807{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7D69E666646D1706372534A516F136,SHA256=B5D6F767635DFC90A284A4A838CAE2776D0B70519388BBB3830F1F61A6278789,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:29.213{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50362-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000093845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.337{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Linq.Expressions.dll5.0.20.51904System.Linq.ExpressionsMicrosoft® .NETMicrosoft CorporationSystem.Linq.Expressions.dllMD5=285776C8B94191385DB52F1C063660EA,SHA256=DBC07A3912117C474C2BB251D0CE9A36F48818B02D2AB6D58AE5EA4DC8E92A07,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.156{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x800000000000000093843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.155{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.018{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.016{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.014{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.012{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.009{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.006{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.004{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.002{F172AD64-7640-63C6-CB01-00000000B002}61966320C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80610) 10341000x800000000000000093853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.989{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.887{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.Numerics.dll5.0.20.51904System.Runtime.NumericsMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Numerics.dllMD5=3E8ADCCA0EC216F77E282AD872E7B2DC,SHA256=61B64DD4B31D76398D39AE2C019D8798212F66E81B88579F3FEB459DA7844C47,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x800000000000000093851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.868{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.868{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FCE6058A495A1EC7E791E808EF9936,SHA256=75F1DF83DFBAE363E8135E09A1561D4FF0D7C5638410261DB77102B894088E2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.076{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C5F8A68B763900F382FC5DE95A0256A1D87A94612023-01-17 10:34:32.076 10341000x800000000000000093848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.034{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.973{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=3737D7B3A07BD11A31CD91B11F7EBA46,SHA256=528C1810C991DD93FA25D6A67A1415BC0A189189AEE0A62C0C79A43AA594E978,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x800000000000000093864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.973{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\sxs.dll10.0.14393.5582 (rs1_release.221130-1719)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=F2A8CD581B7D437C69B57A11C3C45E5D,SHA256=43CE351FE5BBF22128A1A60EC5BE4C70B0BC1496AD276FF04A484F7B86921B0A,IMPHASH=1CD4F5164C272A4717A58FD86B640C54trueMicrosoft WindowsValid 11241100x800000000000000093863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.973{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.973{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36587E14EE41031540C8AF45DD46CADB,SHA256=F07A14AA1C4E875450A9D4A399FDE342F918BADC9836CC1B01059D04734405AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.896{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.896{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.407{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.395{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.371{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.359{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.321{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.313{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.301{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.294{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.280{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.271{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.258{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.255{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.248{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.241{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.238{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.224{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.214{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.178{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.165{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.156{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.147{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.134{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.127{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.112{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 23542300x800000000000000069573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.111{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196F8F014B998D3DC6FEF80DE09F32A7,SHA256=0FA3FFFCD7EC5251315B491721D78537D32A7FE89270F757ACE62097E8909310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.104{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:33.100{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 734700x800000000000000093859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.826{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 10341000x800000000000000093858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.812{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CCA-63C6-0100-00000000B002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000093857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.696{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.695{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000093855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.159{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61510- 354300x800000000000000093854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:30.260{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49599-false10.0.1.12-8089- 11241100x800000000000000093873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:34.956{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:34.956{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5EB198469335D7D09688DDB82DAF7FE,SHA256=7BA5876EFEEB942F8406830253100CD60AFCF1570C1E809B38FAC1C149FD497D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:34.644{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A239441B435CC80715EE292DB98B3116,SHA256=ACFA1BA7722831BCEB235FF6F345DA94EC72C7CD33341A73CFF7188F0EA17E32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:34.871{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000093870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:34.871{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=942D8595BAA08C3FE4CE41249BD165C1,SHA256=55F508A4E8D5D3E40329ACC4247336530C4ABDEA5E1F7DAE463CCCDC3EE99734,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000093869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:31.169{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49600-false10.0.1.12-8000- 734700x800000000000000093868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:34.671{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeC:\Windows\System32\taskschd.dll10.0.14393.4651 (rs1_release.210911-1554)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=5FE3004A4C13FBC1B67CA879BB23800B,SHA256=120A7B49788154395D02C920D9F699EC944784C5162D9CDF8AFD8C927A26B1D1,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 11241100x800000000000000093867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:34.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\xulstore.json.tmp2023-01-17 10:34:34.273 734700x800000000000000093866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:33.991{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Accessibility.dll5.0.20.52001Accessibility-versionMicrosoft® .NETMicrosoft CorporationAccessibility-version.dllMD5=EE37842CA98DCF5E05EF2CD37BA7B192,SHA256=3B2FB9F8A86546C3369819611CAD29A037EB9DDA399C7894F8332350D05DC30F,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 23542300x800000000000000069611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:35.735{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2BD4DCA6B11126A92E00E2DDEF4C68,SHA256=12C5AC512909BC7BAB3FD9C3AA1E7170A2ACF065B905EAAB51C31C2309A186E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:35.810{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log2023-01-16 12:48:26.243 354300x800000000000000093885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.937{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49603-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 354300x800000000000000093884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.937{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49603-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 354300x800000000000000093883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.826{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49602-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000093882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.826{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49602-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000093881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.818{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49601-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000093880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:32.818{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49601-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local389ldap 10341000x800000000000000093879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:35.165{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:35.165{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:35.165{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:35.111{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:35.111{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000093874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:35.087{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log2023-01-16 12:48:26.243 23542300x800000000000000069613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:36.821{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3E217F0B1117C625E1292B8B4C55AA,SHA256=3505883172B54B51299C4741890F6EBFE2BCCBCE09E37C22AE5BEB47DD28CF71,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000093899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.988{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.IO.Pipes.dll5.0.20.51904System.IO.PipesMicrosoft® .NETMicrosoft CorporationSystem.IO.Pipes.dllMD5=6A9D40F375F71BFFDA85E149AF41AA95,SHA256=1D007A416FF6D80BC03CC0A7CD8EC3A7081F9CCE7840866756292B1A527B110E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.972{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Console.dll5.0.20.51904System.ConsoleMicrosoft® .NETMicrosoft CorporationSystem.Console.dllMD5=6F45E04AF7913BC85BFC9664D8F9CBCC,SHA256=60C161A1AD5BC1121A51E67EC1F29FFA06C2E0C4551E508FB332699603C03A5D,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.972{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Debugging ServicesMicrosoft® .NET FrameworkMicrosoft Corporationmscordbi.dllMD5=3CDCCFE453AEE38BD5FB972466AFEB40,SHA256=502A706A57978C8C636A28263802DD1C7A4ED5A15AE3E18D658AE296697F9CD0,IMPHASH=F6DF9EB0F904CF1991EEAAD4FF28535AtrueMicrosoft CorporationValid 10341000x800000000000000093896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.972{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.941{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000093894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.941{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x800000000000000093893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.941{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 10341000x800000000000000093892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.888{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.888{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.888{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000093889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.227{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log2023-01-16 12:48:26.243 11241100x800000000000000093888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.056{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:36.056{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8801A02D398B6D67E38871061E3AAA4F,SHA256=F5D19C88B4C58228C83162C75BE80D01DA3E60B80001E270B0CAE19F7F16614B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:34.227{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000093980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.978{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.962{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.959{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.841{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.831{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.789{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.773{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.688{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.688{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.688{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000093970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.673{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 734700x800000000000000093969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.628{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000093968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.628{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000093967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.588{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 734700x800000000000000093966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.541{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Diagnostics.FileVersionInfo.dll5.0.20.51904System.Diagnostics.FileVersionInfoMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.FileVersionInfo.dllMD5=76F4023F68B87C4C81CD771BEFA3BB25,SHA256=1879ABD0D4F8E6F4E4F84783CE5A42227DFCE02AB13D360BE7E0DA77F10D5A77,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.511{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.511{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000093963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.457{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.428{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 10341000x800000000000000093961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.412{F172AD64-79B2-63C6-8A02-00000000B002}62084484C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CF6EBC) 734700x800000000000000093960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.402{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 11241100x800000000000000093959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.338{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.338{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D12FD0DFB3FB75363401B50C16A7469,SHA256=CAB51CCB312F09879A055DB69535A82123D20AFB542DE6DAE9D099BB9DB1D7D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000093957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.336{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000093956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.336{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=094B459C13E8DEF61226BA080B39D18F,SHA256=E28E32488FA03E68611EA188B6E1777D4FF1C50AA8E04A5FC9FB6D371969BA90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.323{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000093954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.323{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 734700x800000000000000093953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.205{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Runtime.InteropServices.RuntimeInformation.dll5.0.20.51904System.Runtime.InteropServices.RuntimeInformationMicrosoft® .NETMicrosoft CorporationSystem.Runtime.InteropServices.RuntimeInformation.dllMD5=97C74E267FEA9FC91FCEEE3D24E3447B,SHA256=F8F25DD84A563FC3AAB947EC77BA017D0A9F5FEDE6B3C41C1F2230B2E4EBD44B,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000093952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.177{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationmscordacwks.dllMD5=34430BB4DBFA4814115EC8D42BE9B4CC,SHA256=9E5008F4B2B9A12EA4262647C1A6362E1CB96DFBC68B538E133B2A2A3CD9F33F,IMPHASH=749340B5A3E31B3E36A3A4A7F57CCF2DtrueMicrosoft CorporationValid 10341000x800000000000000093951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.228{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000093950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.228{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000093949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.228{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CB0F3B) 734700x800000000000000093948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.147{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x800000000000000093947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.140{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x800000000000000093946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.138{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 10341000x800000000000000093945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000093944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.207{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000093943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.206{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.189{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA6406) 10341000x800000000000000093941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.189{F172AD64-79B2-63C6-8A02-00000000B002}62084484C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA38F9) 10341000x800000000000000093940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.160{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000093939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.160{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000093938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.160{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000093937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.158{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log2023-01-16 12:48:26.243 10341000x800000000000000093936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.156{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000093935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.156{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000093934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.156{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000093933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.150{F172AD64-79B2-63C6-8A02-00000000B002}6208428C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:37.008{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000093931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000093930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000093929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000093928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.041{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000093927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.041{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000093926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.041{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000093925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000093924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000093923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000093922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000093921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000093920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000093919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000093918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x800000000000000093917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000093916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exeMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 734700x800000000000000093915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000093914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000093913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 10341000x800000000000000093912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79B2-63C6-8A02-00000000B002}6208428C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9424|C:\Windows\System32\KERNELBASE.dll+c3fe5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000093911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000093910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79B2-63C6-8A02-00000000B002}6208428C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79B2-63C6-8A02-00000000B002}6208428C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79B2-63C6-8A02-00000000B002}6208428C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000093903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-79B2-63C6-8A02-00000000B002}6208428C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000093901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.028{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe" 10341000x800000000000000093900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.027{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000094005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.499{F172AD64-79BD-63C6-8C02-00000000B002}7060C:\Users\Administrator\AppData\Roaming\svchost.exe 10341000x800000000000000094004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.483{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000094003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.481{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000094002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.475{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000094001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.428{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 11241100x800000000000000094000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.428{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000093999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.428{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94C895D24B80818671559E561B81F9B,SHA256=71163A7CFF4FE00DC4223C207085E0DD308A015ACCA2EA29F3D1067275DFE6CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.428{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.360{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.328{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.328{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.312{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.298{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.298{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.283{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.278{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 11241100x800000000000000093989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.273{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 13:16:44.659 23542300x800000000000000093988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.273{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3262B17226D4D64B6AF3C36D34115F43,SHA256=5FCD87BE88CF1B2ECD4A16EF514055F28C5147FD8AB992B0D0230224BDCAF341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.272{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.257{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.242{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.225{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.171{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 23542300x800000000000000069644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:38.050{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245AAC461880FB6481CD23E8DFEC7B64,SHA256=C1978CB840D13CF325653952980972B049490C7E019CC78199C494C0F9D88F38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000093982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:38.008{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000093981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.992{F172AD64-79BD-63C6-8C02-00000000B002}70606020C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 11241100x800000000000000094007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:39.197{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:39.196{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B97E6434A1A68AE3758A96949338C8D,SHA256=0EA998EFA8EEA3D9626202F06C5CDBAF449E1F964EDFB6F3AC221863CBD777EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:39.132{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B9FC84398F918C1744A1E5994919C2,SHA256=095FA63311BFED01BCF2DEE108D14DA84BC202D784BCFE6834AF57044F2BF1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:37.205{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49604-false10.0.1.12-8000- 11241100x800000000000000094009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:40.300{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:40.300{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF5A452481C24A5888DAB3D83AF4AF0,SHA256=590AEB57B452FC787A43E25E904C38A90D9F6F8F60D660E43914B01B60998F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:40.227{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633F3714F578498463A109DBBE4F2870,SHA256=57DB61E934477F60D1672CDEB9E5F85AC621BDB712E925F1D1BD6CC6C0C8285E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:41.883{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x800000000000000094013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:41.883{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=D05A4BBB894D10FB32D48AD3C62D4AE6,SHA256=DFADFADDCF571DB5C33AA0FC0F5DF84512A1E131788FAD69DBDED5BB7D0E03C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:41.422{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:41.422{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD137B58DBB256ED4AAAC52383B16BE7,SHA256=096E6CFDB7F0CB59A1712CC77573A4247D17555D4DA0652173FAB0E4CEA41535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:41.314{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6061F7D72F384B7685B3CB361D1519,SHA256=0F70FCA7A427944373C2E1427EBB5274B49D1B0156249D882949394ED43593CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:40.028{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50364-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000094017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:42.784{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net\startup-roslyn.profile2023-01-17 10:34:42.784 11241100x800000000000000094016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:42.452{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:42.452{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CB613D3EE13076CA521554D6D04A12,SHA256=82016C0AE04DDE5E490122DB14F4194AEC7E2F697968B90BA3C887B3146677AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:42.400{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F916505E8095EC7C73FDE7E4B337DE9,SHA256=CC748EC02DD43DB33F964A9494329F08FC96B98E6FBE681CDC2CC60117598B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:43.513{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F52A0BEB9B38067B89589C236D47FB,SHA256=B37EC7F6147B1EF0095D6B11AD9A1568BEB8D478CE14A051DDBA7E44B40CDA7A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:43.602{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:43.601{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89717395569E019B110DE118D86EEE96,SHA256=FFBC03DB74C1A4019B6B7ECCFEFB6405B4179323D438CAD1647D48FE3393C813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:44.609{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEA398ED3DE4F806FA3A210775AF817,SHA256=A2D1315AB0D82A4E05BCD88BBA5B64C6BF73E3FC3E39EBAD68A83D627C36197D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:44.547{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0AFB564697F405B7BC0ABB83AA694888,SHA256=39629B110F050252D073A8D191BB708470466906ABE2DD234787D6C8C9D0B512,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:44.685{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:44.685{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2157E37EA5A4A0158F2E77ED26D5AC0F,SHA256=E8616D4276DDD2AFF12C14E03A7735DDFEBB653989437D64CD1CC0C1600945E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:45.598{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3208117779175BB4B8D4EAD2E8D4563F,SHA256=1219BA0A77E3871BBCE2EE4F7001C8B03C0EF1F63CC34394DC7C1ACDEB01DC98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:43.220{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49605-false10.0.1.12-8000- 11241100x800000000000000094025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:45.770{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:45.770{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C7F7C8EBCEC5C87B30FC44BB884728,SHA256=07A4CB71728BC6351E3558D4F803C9D20C750A2CD72ED537A1D491536A403FBC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:45.601{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000094022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:45.600{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A457DD5B60A092769DCDCDBC2E33BC85,SHA256=1ACCF6C4E2E3957556887114FDA0EF7DD18B0217A50DE81B7F36F67DE37E4CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:46.688{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9687564F520B63634F73E2EE41FC9B3,SHA256=C1DC933B43475F4EDCE72BD9DE5ECAFE7DCC27CAB6F6139563D5DB697B64D39A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:46.886{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:46.886{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A565094C13742F8C5807A2D2CA61605,SHA256=3865DBB7B71D95BE67EDE11881507B0D645C31A344DA883C9260BE548E1B32C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:47.777{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65675DA747DF9D6F057F4D1CAE0F72BD,SHA256=AA9CCD808C1CF5B0074CA4D35F9F5D35D4989E49733485723DF8E40084D1A64D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:47.988{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:47.988{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87735AC4ED6CEB3B4AA0B88FEA0FA6A2,SHA256=6CCEA3ACA6EB0B5129357F650669DF722CB4A7CB682DE26F05BE3B0326EF5A7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:45.227{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50365-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000094053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.265{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.261{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.249{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.247{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.244{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.232{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.225{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.224{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.220{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.212{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.196{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.191{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000094041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.190{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:34:48.190 10341000x800000000000000094040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.179{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.169{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.159{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.123{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.109{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.098{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.083{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.073{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.026{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000094031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.024{F172AD64-7640-63C6-CB01-00000000B002}61966316C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000069657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:49.091{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9940F60A608478C2CCDA5A8D7E217FA,SHA256=D72611727704DBF0865A76587B70E54F4DE5BAD3D755694082E59C370D58F52C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:49.073{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:49.073{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347C30266F7EC0ACA132A112C69A074C,SHA256=F86A5A443D8A6C6B5CDB4578EEBC4A0575B51B632938A883EACCAC93E7F756EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:50.186{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B038671675FC0DCE6431BB9DE402587,SHA256=C2C5492821ECD33C887FB946F5B9B9315544CC7FFDCE611DF77A30B1B47B7564,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:48.329{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49606-false10.0.1.12-8000- 10341000x800000000000000094083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.728{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.726{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.418{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.418{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.418{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.411{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000094077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.402{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000094076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.400{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000094075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.397{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000094074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.396{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000094073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.390{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000094072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.380{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.312{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.308{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.293{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.274{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000094067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.190{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:50.190{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C20E149CA09CAC3018F8A9039412C2A,SHA256=AE66B3737544E7CD4A9F024D1679C399E2E91D37426A7DCD373D69811C0445DE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000094065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000094064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0032f29a) 13241300x800000000000000094063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a56-0xf1c693d5) 13241300x800000000000000094062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5f-0x538afbd5) 13241300x800000000000000094061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a67-0xb54f63d5) 13241300x800000000000000094060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000094059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0032f29a) 13241300x800000000000000094058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a56-0xf1c693d5) 13241300x800000000000000094057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5f-0x538afbd5) 13241300x800000000000000094056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:50.074{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a67-0xb54f63d5) 23542300x800000000000000069659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:51.277{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385D09FE0A1A97BF08BDE104248C70D0,SHA256=16D8653BDE4A6AB9E52935488B9F0ED01D5C794CD86AE13EF787D98B27D21104,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.411{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.409{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.406{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.404{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.400{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.397{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.394{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.391{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.388{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.386{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.377{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.376{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.356{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.347{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.346{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.344{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.342{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.339{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.338{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.338{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.336{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.320{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000094101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.318{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1C1DF4144A83901FDE288F2D165532B7,SHA256=A3F4AAECA86F9D079FB6575B6D2A4D9D938CCAB87596246CB8B7DCECD35B85D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.309{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.306{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.274{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.268{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.254{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.249{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.248{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.245{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.242{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.240{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.238{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.236{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.234{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.233{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000094086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.115{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:51.115{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126A12DD5617E3BF11689C4FAEBED073,SHA256=8A06C2F9D4EADA7F6C8DBB7B58012CD9DDB9B4A99E277CEA1F0DF6B7844A33DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:51.203{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50366-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:52.364{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A5B26610A62FFCF408426015A4455A,SHA256=0046A8666C9EE2CCE5977CFF0B24044F7F31E9F700529EAFF43412746FC4602E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:52.431{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:52.431{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:52.431{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:52.416{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:52.416{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000094125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:52.331{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:52.331{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C6D746E095C70C6877A95CE753DE99,SHA256=C90DEDFFB1231222AFC72CF00475F6E5AE2406417DBFB0C089ACE9D9299AAAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.796{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEB9A67A642FA41702E0B7702AF67DC,SHA256=4A49E9182EF8026AFD140C02CA230B5D64760B7D377BED8F58BDFE06A42C3400,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.486{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.469{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.435{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.417{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.384{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000094136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:53.716{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:53.716{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000094134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:53.493{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-17 09:40:52.407 23542300x800000000000000094133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:53.493{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=40FEB3271F3E6E3597C0E0871FE62C0E,SHA256=36EB96C43BF3D3744E1D346A7411B1EDEC2CA64D6EFA20AB51F7DA435360B35D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:53.432{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:53.432{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC808FB6841684D2B271F94030FEF981,SHA256=FCEF6A5650F67022BC17C2D8DCD056DC453C0BDC21113650739899FD67F9000E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.356{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.341{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.316{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.313{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.309{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.267{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.252{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.249{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.230{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.215{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.178{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.169{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.161{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.154{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.147{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.142{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.114{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.108{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 10341000x800000000000000069662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:53.104{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245620C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A003D0) 23542300x800000000000000069701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:54.528{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFF20ED20CE7F8DAA6D01E3A16BDA15,SHA256=A46E0A598381F5B2BCA8E4C792AD2380A1FA67CC680C43070BEB1DAADA1CD48A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.826{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.826{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.826{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.668{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.668{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000094142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.562{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:34:54.562 23542300x800000000000000094141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.562{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.562{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:34:54.562 11241100x800000000000000094139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.462{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.462{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3C2E76A4E931E4FD8283C7E34C0A6B,SHA256=29C5161BAD91B3222C274E8B138350DC27ABA625211FE5EE59557537285F7470,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.233{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\startupCache\startupCache.8.little2023-01-17 10:34:54.233 23542300x800000000000000069702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:55.624{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7332283E118A089BBE6DFEBD16AFFB1,SHA256=4C8CE4D4AEEFE934F27B6C6DFB4ADEFCA40FE436BDEF4567BB41F942B89A30F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:55.581{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:55.581{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45DA66D8B8AC04E2AA5EC5010033A58,SHA256=7022E65DD51953339538191C40F4D7A12CF27563ED9660AFBD6915C4F27A36EC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000094153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:55.535{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000094152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:55.535{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000094151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:55.535{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000094150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:55.535{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d92a5f-0x57145abd) 13241300x800000000000000094149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:55.535{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000094148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:34:55.535{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000069707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:56.718{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F7D2DE7E8020A67DEF81948344DD2B,SHA256=8DDB6E1049BD6E65F419B8F68A01A4E388947D4CA7C38BFD02A7363773029A13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.924{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000094228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.924{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D442FFB38926E62C82E37A080927334B,SHA256=F35F192C0AFCCCB8CD6D095A3CDCE0217833323EF9D2B9057BB7124FD80366DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.917{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.917{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.917{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.913{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.913{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.913{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000094221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.778{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.778{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB685F70BB742930189CF4D7D22ED6B,SHA256=F4CF609B946D5DAEFA9C0A3F187BDB93F1E0E7BE2A860E73C77907FBAF6FF405,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.776{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.776{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9514A9DDCA713D21547E9CF0E79220,SHA256=E028567FE99F9F6070C76DBC4BA928552F8BCB19D57952EF8347F6FD31597C1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:56.023{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:56.023{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:56.023{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620668C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:56.006{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.381{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.381{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.381{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000094214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.335{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 734700x800000000000000094213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.327{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000094212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.312{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000094211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.295{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 10341000x800000000000000094210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.280{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.264{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000094208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.264{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000094207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.264{F172AD64-79B2-63C6-8A02-00000000B002}62084212C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CF6EBC) 734700x800000000000000094206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.264{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 10341000x800000000000000094205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000094204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000094203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000094202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000094201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CB0F3B) 10341000x800000000000000094200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000094199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000094198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA6406) 10341000x800000000000000094197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.211{F172AD64-79B2-63C6-8A02-00000000B002}62084212C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA38F9) 734700x800000000000000094196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationmscordacwks.dllMD5=34430BB4DBFA4814115EC8D42BE9B4CC,SHA256=9E5008F4B2B9A12EA4262647C1A6362E1CB96DFBC68B538E133B2A2A3CD9F33F,IMPHASH=749340B5A3E31B3E36A3A4A7F57CCF2DtrueMicrosoft CorporationValid 10341000x800000000000000094195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79B2-63C6-8A02-00000000B002}62084392C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x800000000000000094193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x800000000000000094192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 734700x800000000000000094191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000094190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000094189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000094188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000094186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000094185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000094184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000094183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.195{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000094182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000094181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000094180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x800000000000000094179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000094178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000094177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000094176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000094175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000094174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000094173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 10341000x800000000000000094172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79B2-63C6-8A02-00000000B002}62084392C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9424|C:\Windows\System32\KERNELBASE.dll+c3fe5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000094170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79B2-63C6-8A02-00000000B002}62084392C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exeMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x800000000000000094168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79B2-63C6-8A02-00000000B002}62084392C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79B2-63C6-8A02-00000000B002}62084392C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000094161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-79B2-63C6-8A02-00000000B002}62084392C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000094160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.186{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe" 10341000x800000000000000094159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:56.180{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000069708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:57.789{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14309C9063070FB96A9AE0C30743035B,SHA256=897396DED37337B2B340E3B5AEC45A47276FE6ED73BC02C8865FCEC23D9498F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:57.829{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:57.829{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83078E3AEE593FC5EBF392A906C8EAF,SHA256=66205EAF163EDB0BF0BD8A99274208BFAA3CAF7189A761D14E995D6301DA494B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:57.209{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000094232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:57.208{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=814D98243AA9EA397ACCD6673D5E207E,SHA256=9767BBB1323CC31154C43EEC7660B6256F9CBC270F73B10955AA5FCBF28FE96C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000094231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:57.107{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\System.Threading.Tasks.Parallel.dll5.0.20.51904System.Threading.Tasks.ParallelMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.Parallel.dllMD5=FAB4822A73771AB4980C876FCC736AFB,SHA256=ECDDD31BBF74BD0243E83E581B461E53A3541D4DB871336C000880194989398C,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 354300x800000000000000094230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:54.330{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49607-false10.0.1.12-8000- 11241100x800000000000000094242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:58.872{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:58.872{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F95F655E41C6D31F636DA7C87908191,SHA256=680EBA99DC95924BA2A064AC3E7C0BDD5750198BAE6B238C542A947D4052A690,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:58.271{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:58.271{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:58.190{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000094237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:58.190{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000094236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:58.190{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000094244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:59.906{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:34:59.906{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7239C023565BFD49B84CD720E43F61BB,SHA256=66DA1FD5AB4F9F4FACEC6AC607A5DEE612790AF5497B1ADA67131003279BA1D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:59.745{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:57.190{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:59.090{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F64E4EDEC2487A986BB3C381234EAB,SHA256=DC2447AF04A29C84B670C9DA1025B408E6408D54E6EE3206FF2BC4DB87452925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:00.996{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000069713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:00.405{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DF3C69C30BDD3955F6BB8EC236967E0,SHA256=A6DFCC936BB78849082CB0E4BBD32CB3C95B1C415E929D7B66D430719B56113F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:00.171{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0CAB8C30C46023E00CD5896BB9B4E7,SHA256=4785FDEBFD74CC05A32B6725929A64E96C07DB8D46C9E72C90CD8A389B1A3B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:00.271{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:00.270{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000069715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:34:59.718{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50368-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000069714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:01.270{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5EA94D5479D46E9B9CF11D6EC4109D,SHA256=3C45D5AF6ABA64B1C5D8413B02A326FF6A67FF9C8EF98362454BFA75496FAC09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.855{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.708{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.694{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.651{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.635{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.595{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.539{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.539{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.524{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.508{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.508{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.494{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.479{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.479{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.476{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.455{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.424{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.379{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.155{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.139{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.123{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.078{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.076{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.041{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 10341000x800000000000000094251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.041{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 11241100x800000000000000094250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.026{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.026{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F923B98A7C7F73B120A268C9599329,SHA256=05FBB5553D1A741E0E79ED3ED6F6D0DE9C1230D580D9EC465AA0FC824DE2C6BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:01.012{F172AD64-79D0-63C6-8D02-00000000B002}23485080C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5602-00000000B002}4332C:\Windows\system32\vssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CB3CB3) 23542300x800000000000000069716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:02.369{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD835BE1B4178DD4201A37CD22DBCE9,SHA256=66F8EA7D8DFFF5F14A2FD62F2979079750157B6E86D547503441BC33277BC8B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:00.228{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49608-false10.0.1.12-8000- 11241100x800000000000000094279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:02.671{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000094278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:02.656{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C43FD46B6B10F01DE589DEA932B1A174,SHA256=D37B4BDBC89F81462B29034CB389AE89875E2E175B2BBE268B6D05817B386744,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:02.058{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:02.058{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0A3B0D79B427565D2AFE5C4C025E14,SHA256=D8E4671376F3BD30F98BA6D43F76DB232CF5F096DCCE429CECE169F10E0A17BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:02.294{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50369-false169.254.169.254-80http 23542300x800000000000000069717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:03.678{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E941B2B468579C40A00372CD9EA4E3C,SHA256=BDE52537765A2ECB469278A9207472304ED5532DA82613A553BFFBD08FE3979D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.757{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000094284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.674{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 13:16:44.659 23542300x800000000000000094283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.674{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9984ADFDDEC9FE06B849853C5834C049,SHA256=C48D71AA8E6C1FD23EA53752DD4E7D09DEC4C1C9CB0B6B62EEC0940A269A925F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.175{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:03.175{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EF247F657EBF36265AEE7C49FAE021,SHA256=75147871CBC00E60F20326781ACCD422AC51BD10F9A965385CE15A067271B164,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:03.042{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:04.777{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDA9E79042D041D6E074F114A6C02E3,SHA256=BB6A7A7A75E554BE2B99FB6EB81A8979515E21437DA509A9658C3331D9F3D674,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000094328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:04.541{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92a5f-0x5c72ad0c) 11241100x800000000000000094327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:04.457{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:04.457{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9424A408158DEA433BE307E85386CB,SHA256=9F5EC822DB650E1C6B9E4A7B2BDE9AAC53E6BA634B4E06CAC09E03023052E119,IMPHASH=00000000000000000000000000000000falsetrue 534500x800000000000000094325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:04.341{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe 10341000x800000000000000094324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:04.341{F172AD64-79B2-63C6-8A02-00000000B002}62084212C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-79D0-63C6-8D02-00000000B002}2348C:\Users\Administrator\AppData\Roaming\svchost.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5559f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+6d93|UNKNOWN(00007FFF63B6BA71) 23542300x800000000000000069721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:05.858{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E03B434B7A65AD668CD543589B462B2,SHA256=EF0D89EDA89E716C53331E09C3093F81F882688EAD3446A54F08092471C6A31D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:05.397{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:05.397{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECCDCE3F39965123AAC0CE86B397753,SHA256=E1754B926841ADF82F16B887B3A1D59FBF3156795E594EF725B79B8F0697EEB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:05.258{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:05.258{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000069722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:06.943{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BFB01B3940E65EF603B486D54A1A82F,SHA256=DE68FC97DFD0FF915A048EFFF772FFFC2FA48CE8B501FBDCF5E3A6D26FDB0B24,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:06.498{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:06.498{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F93AAE848A164F28DC34B50AA69FD7,SHA256=D87B807B3F7BA1550A367344672D47ECECA47B248CFC1ABA537E03B57F89FB7B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:07.646{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:07.646{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D61BB55450FA2BF8071E8834363DE45,SHA256=42BAEC605E908617AB7E207A685EE0B3F6B3F904E6B32E617B9D028B8C94DE4B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.750{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.750{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5045BFBEE777D0D1AC29AFB7704DA99,SHA256=085CFF8296E66818574CAD26718C4FE9EF4B0B75DF9DB541D75D4EF1C0B020A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:08.154{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121A8A90A25EDB829A152954F3C40B92,SHA256=19C8717B4F3F492120F29F9845E0AF76882F24C627BC72B6A2D8DF6ADB8E37F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.240{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.236{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.231{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.229{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.227{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.218{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.213{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.211{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.209{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.204{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.191{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.184{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.177{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.168{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.156{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.129{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.118{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.110{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.091{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.080{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.029{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.026{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x800000000000000094364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:09.836{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:09.836{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB18541FEEFFE6F0246F9100E8AF7D9,SHA256=632A96840B0527A2C22EDA40C641D2F85A99728796D57B43AE647F0C5C3573FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:09.251{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6572C21165182FD1AA7F5EB5F095D7,SHA256=2B23890FD83BF78CCCCC1D418ABF7A95593804A0482B30AA213CEA344FD11B63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:09.636{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94e79|C:\Program Files\Mozilla Firefox\xul.dll+e9515b|C:\Program Files\Mozilla Firefox\xul.dll+1237deb|C:\Program Files\Mozilla Firefox\xul.dll+e91887|C:\Program Files\Mozilla Firefox\xul.dll+1252d02|C:\Program Files\Mozilla Firefox\xul.dll+c518c|C:\Program Files\Mozilla Firefox\xul.dll+c53228|C:\Program Files\Mozilla Firefox\xul.dll+c52f6b|C:\Program Files\Mozilla Firefox\xul.dll+18db8da|C:\Program Files\Mozilla Firefox\xul.dll+18a66f7|C:\Program Files\Mozilla Firefox\xul.dll+1ce8514|C:\Program Files\Mozilla Firefox\xul.dll+1e4c3f3|C:\Program Files\Mozilla Firefox\xul.dll+18a6adb|C:\Program Files\Mozilla Firefox\xul.dll+1ce8514|C:\Program Files\Mozilla Firefox\xul.dll+1e4c3f3|C:\Program Files\Mozilla Firefox\xul.dll+18a32ef|C:\Program Files\Mozilla Firefox\xul.dll+197cafa|C:\Program Files\Mozilla Firefox\xul.dll+1b6fbe2|C:\Program Files\Mozilla Firefox\xul.dll+1b67557|C:\Program Files\Mozilla Firefox\xul.dll+187b7a3 354300x800000000000000094361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:06.248{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49609-false10.0.1.12-8000- 11241100x800000000000000094375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.891{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.891{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFCAD29BC92E7712E87BDD135BF28E6,SHA256=E1A5F0DC85ADFFD06FED2283AEBC341DB82D68E62517350C9D3973CD38BADC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:10.335{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1F137B22B71A94EE51963D0D446320,SHA256=CA9AEC44B5D3A85D75564B1AC835BE3D51763C06F083314771EF06C6FA349A90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.820{F172AD64-7634-63C6-B901-00000000B002}49005124C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.806{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.806{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.717{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.715{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.290{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.287{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.280{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:10.267{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000069725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:08.126{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50371-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:11.411{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EE74E68F4696979B680A866CCAF2E8,SHA256=FF70A7312A29403E027B0DEEFB9B1C04918F0CF0EF75CEA371C372DE55478279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.402{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.400{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.397{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.395{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.391{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.389{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.386{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.383{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.381{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.378{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.369{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.368{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.348{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.342{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.341{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.339{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.336{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.334{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.332{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.329{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.302{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.293{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.291{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.263{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.254{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.242{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.237{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.236{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.233{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.231{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.228{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.226{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.225{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.222{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000094377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:11.221{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000094376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:08.483{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49610-false169.254.169.254-80http 23542300x800000000000000069742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.825{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=615D3E2E666DB3849C68295241E6A89C,SHA256=60E0728E9E7C16991867D0D3CB5EABC0FC198BF6C112C76FEAE991089E60B35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.507{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237400DFE8BCDB9E7CCBCD84E955DBBE,SHA256=0CBEA39F16E1AB2CD9146DC7AC7BEBB3745181A2FA3CDFFDBDBD80955FECDD4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:12.253{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:12.253{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72106C22371A06024198DCC7A061B38,SHA256=5AEE5D4AA49868AC3FF1F773F4C133B2E617C61B204E1D14A089B7D5B3C805CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79E0-63C6-5E02-00000000B102}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-79E0-63C6-5E02-00000000B102}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.351{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79E0-63C6-5E02-00000000B102}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:12.352{F6EEFE7F-79E0-63C6-5E02-00000000B102}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.747{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=80FFF27F2F792D393ED65EA49D8ED23A,SHA256=B040421E8EAF203599BEBAFD4EFB1713044F80507616D965CB4C03F451D7B641,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:13.338{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:13.338{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B35BCA35C1FC4873843C29AD3BDEC79,SHA256=375395C5A810EBEB60305268E459C75EB3996F9D36EE8765AF378C79CC0E1D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.516{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D8D41D90B6D79FD064BD9E6B5872DC,SHA256=92E485E050C6EC66A4C3A6E86571EFFDD7EA4700A8C56D508895EBA6A4615947,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.439{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.420{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.389{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.377{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.337{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.330{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.312{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.301{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.262{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.261{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.257{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.254{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.250{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.242{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.235{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.224{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.222{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.212{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.204{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.175{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.169{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.162{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.143{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.137{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.118{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.111{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:13.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000069810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79E2-63C6-6002-00000000B102}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-79E2-63C6-6002-00000000B102}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.909{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79E2-63C6-6002-00000000B102}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.910{F6EEFE7F-79E2-63C6-6002-00000000B102}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.786{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489939AF38E8E35C05A515BDFE497548,SHA256=3392C9C660347BA34B0F1806428DDF9F684A8B07A26A57B93DA0F1CC586ABDBD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:14.374{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:14.374{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586674D3DBB36576F15FB6BA3744B838,SHA256=872175621770DEACB6C41910956B64E45BB558FCADD9F510A978DDF9FBDEAC03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79E2-63C6-5F02-00000000B102}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-79E2-63C6-5F02-00000000B102}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.237{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79E2-63C6-5F02-00000000B102}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.238{F6EEFE7F-79E2-63C6-5F02-00000000B102}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.003{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0678DB82C136FB59438950EC52CBF0D6,SHA256=163492D5B4154EAAF9BE4579CE997340AA0F46F9DAEF840B80AE8A1946128A76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:14.053{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50372-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:15.864{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E636E3B36959915DD3814DBD45A77BBF,SHA256=B960EFB8E4A4961C50815569B7A750BC678BBEF82B3E5BD9F7D1D535A486CBB2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:15.701{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:15.701{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD503A92387348E7F372E747291197D,SHA256=54FAB1F790D23CD4C94DA20DB0675D1F91EE479D2858992A7271168028DB8639,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:15.159{F6EEFE7F-79E2-63C6-6002-00000000B102}50485516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000094419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:12.515{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51144- 354300x800000000000000094418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:12.157{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49611-false10.0.1.12-8000- 23542300x800000000000000069828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.956{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5B8C2FAF9A803F6C6F051604DDEFC2,SHA256=45BF7442BCE10886F7C1619557D3DE151159FF3EFF0686574AE0C904C34E7AA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:16.834{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:16.834{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A858B84ED8CD796B3254284375269C,SHA256=2D9258AA6ACFF6AF0BC62C486FF1D840E152B576FC8D78892E48666DE2817DC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.444{F6EEFE7F-79E4-63C6-6102-00000000B102}38081840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79E4-63C6-6102-00000000B102}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-79E4-63C6-6102-00000000B102}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.241{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79E4-63C6-6102-00000000B102}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:16.242{F6EEFE7F-79E4-63C6-6102-00000000B102}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000094434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.991{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9C0D5CD613D2FC4CB7E630ECAAAFA4DCE205BE0F2023-01-17 10:35:17.989 11241100x800000000000000094433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.970{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.965{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A206B24D8614F0FC3AFB7A557B8776ED,SHA256=EC01DDC54CA595A7322747568C9B13CA60BC933BE2B7E5B07B27EAF4C95702EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.933{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4CDC1C53295CFD17EA45FF502CB29BDB5BC318242023-01-17 10:35:17.933 10341000x800000000000000069855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.846{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.847{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000069842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.389{F6EEFE7F-79E5-63C6-6202-00000000B102}28843400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79E5-63C6-6202-00000000B102}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-79E5-63C6-6202-00000000B102}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.175{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79E5-63C6-6202-00000000B102}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:17.176{F6EEFE7F-79E5-63C6-6202-00000000B102}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000094430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.673{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4A0ED53A79E6842A4CC3F4A35CD1B016089B7FA02023-01-17 10:35:17.673 11241100x800000000000000094429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.641{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9DC5DD8944798FA40AA6E44D9131A234F5F4378F2023-01-17 10:35:17.641 10341000x800000000000000094428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.341{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.313{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-793A-63C6-7002-00000000B002}1236C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.309{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+45a2cc6|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22 23542300x800000000000000094425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.237{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite-journalMD5=12BCFFC4F6141F680BAF00336B86852A,SHA256=D7BF3C6BC050472427442EF78F9BA6148AF9317ABF2125F91570280F1A19C231,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.225{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\formhistory.sqlite-journal2023-01-17 10:35:17.225 23542300x800000000000000069863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:18.214{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC92477C4583D5D8F98D74F9A935AD5D,SHA256=EDCC01E485DE3902CF6A457AA97AC851C5EE131BFF26102C2964A53501B2D352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:18.075{F6EEFE7F-79E5-63C6-6302-00000000B102}54082328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:18.035{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:18.034{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:18.034{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:18.034{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:18.033{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000069856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:18.033{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-79E5-63C6-6302-00000000B102}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 11241100x800000000000000094537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.795{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5DEC3A7780A726600328CBD80DA497A20FEB736E2023-01-17 10:35:18.795 11241100x800000000000000094536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.771{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7A787A3C90F6A25DEEBBCFFCD8BD01ED144144C12023-01-17 10:35:18.771 11241100x800000000000000094535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.766{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A8CCF2717FD0304829B6889F0FD3DC3AA3C0F8F42023-01-17 10:35:18.766 11241100x800000000000000094534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.759{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BED60E80733D3A3CFA20194975F091312811518F2023-01-17 10:35:18.759 11241100x800000000000000094533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.748{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3AD8500C6960A5F6EE3B83E122A8E19E7CD757B02023-01-17 10:35:18.748 11241100x800000000000000094532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.746{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A12A4F95ED50000AF9D60AC09B26460622637FEE2023-01-17 10:35:18.745 354300x800000000000000094531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:16.738{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49612-false142.250.191.99ord38s28-in-f3.1e100.net443https 354300x800000000000000094530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:16.720{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53814- 354300x800000000000000094529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:16.720{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52457- 10341000x800000000000000094528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.592{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.592{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.592{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.591{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.591{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.591{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000094522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.572{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3702241793E5B3C5F216330BE20CF2F08179AA002023-01-17 10:35:18.572 11241100x800000000000000094521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.502{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.502{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF5B153D7AC414FD12F25179D2C700E,SHA256=A26E4760842378D8300A252DCCFB63B1CA75FAAB86BA5E2E8C9336ACCA2E6252,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.500{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0EDB49C6F40E360BC7B2F8B9F75CE05BEBF265822023-01-17 10:35:18.500 11241100x800000000000000094518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.495{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C17419696237E9098466545CE54EF90B3F0ED0D22023-01-17 10:35:18.495 11241100x800000000000000094517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.474{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E454453A42A15862314FD24316B4C28DAA82F8AD2023-01-17 10:35:18.474 734700x800000000000000094516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.406{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000094515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.406{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000094514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.402{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 11241100x800000000000000094513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.410{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7035A45179A7DB8664A581CF69380C998A2537CC2023-01-17 10:35:18.410 354300x800000000000000094512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:16.459{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61104-false172.217.1.99yyz08s09-in-f99.1e100.net443https 354300x800000000000000094511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:16.459{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52825- 354300x800000000000000094510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:16.342{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53730- 734700x800000000000000094509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.372{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000094508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.406{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000094507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.406{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000094506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.406{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000094505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.402{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000094504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.402{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000094503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.372{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000094502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.372{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000094501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.362{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000094500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.362{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000094499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.381{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000094498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.376{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000094497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.376{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000094496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.376{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.376{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000094494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.376{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000094493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.376{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 11241100x800000000000000094492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.362{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D967F516B16AD8034E93085BFBA2F147862850A42023-01-17 10:35:18.362 11241100x800000000000000094491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.362{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DFDA76C0ABEDE1084EA818FF1A395DF6478F498C2023-01-17 10:35:18.362 734700x800000000000000094490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.341{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 11241100x800000000000000094489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.353{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\293F06D53429AFF6E087AAB5300754A018DD256B2023-01-17 10:35:18.353 11241100x800000000000000094488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.353{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F88DD3F10648190CD50D2621248601F1BBE12D262023-01-17 10:35:18.353 734700x800000000000000094487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.333{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 734700x800000000000000094486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.337{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000094485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.333{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000094484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.333{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000094483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.333{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000094482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.333{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000094481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.333{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.329{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.329{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.325{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.325{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.325{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000094475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.325{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000094474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.322{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.14.876819630\735374178" -childID 11 -isForBrowser -prefsHandle 1300 -prefMapHandle 4336 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdd0fca5-5dba-4de1-80bb-744846ef9f9e} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 4728 1793d485858 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000094473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 10341000x800000000000000094472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.317{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.313{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000094446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:18.313{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.14.87681963C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000094445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.305{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\01AF03332D33A67E3CB99273E8E7D80D0081AF002023-01-17 10:35:18.305 22542200x800000000000000094444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.594{F172AD64-7935-63C6-6402-00000000B002}2296id.google.com02404:6800:400a:813::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000094443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.592{F172AD64-7935-63C6-6402-00000000B002}2296id.google.com0142.250.191.99;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000094442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.591{F172AD64-7935-63C6-6402-00000000B002}2296id.google.com0::ffff:142.250.191.99;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000094441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.266{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\346578EBB616930D4E7DF4EAB70AF19B54F172B12023-01-17 10:35:18.266 11241100x800000000000000094440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2DDB3560A68C5D75BCAF878CCAAA944A799B0092023-01-17 10:35:18.250 11241100x800000000000000094439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.246{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\32C7D6804E847A3EA4A610C07DE951C2D2948B9B2023-01-17 10:35:18.246 11241100x800000000000000094438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.183{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:35:18.183 11241100x800000000000000094437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.109{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3B0CDD6DACDC4B4D40B228822B8BE2F9F9A679772023-01-17 10:35:18.109 11241100x800000000000000094436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.026{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8AFDF048C79ADCC2A95E55116A26D99C4AA69A552023-01-17 10:35:18.022 11241100x800000000000000094435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.004{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\46D46743C186426F0A7760160AF23922BCCB21A02023-01-17 10:35:18.004 10341000x800000000000000069878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-79E7-63C6-6402-00000000B102}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-79E7-63C6-6402-00000000B102}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000069867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.445{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-79E7-63C6-6402-00000000B102}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000069866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.446{F6EEFE7F-79E7-63C6-6402-00000000B102}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000069865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.118{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567254058CF5492BFEC305CF434FFC0E,SHA256=8D2770EADA2789759DFBAB17705D2602F7D67AEFBF63A5554CBCD719901C4E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:19.087{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=146C40E53E7C94F45E5A175C561F4000,SHA256=39DBC37D7F618075D9629743E807B500AA4D66EEC0298EE143F3C6D88C0A29BC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000094637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.953{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000094636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.952{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000094635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.952{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000094634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.951{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000094633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.950{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000094632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.949{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000094631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.949{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000094630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.949{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000094629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.942{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000094628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.942{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000094627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.942{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000094626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.941{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000094625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.941{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000094624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.941{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000094623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.941{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000094622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.940{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000094621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.940{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000094620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.940{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.940{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000094618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.940{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000094617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.940{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000094616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.940{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000094615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.940{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000094614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000094613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000094612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000094611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000094610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000094609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000094608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000094607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000094606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000094605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000094604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.939{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000094603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.938{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000094602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.938{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000094601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.937{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.937{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000094599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.937{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000094598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.936{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000094597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.936{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.936{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000094595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.936{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.935{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.935{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.935{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000094591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.935{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000094590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.934{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000094589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.740{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=E3E9F79280294DC9091412001F2F9DCE,SHA256=B2B7C55D89AE30A06E26BCFA89123A1A6715D597892C95E731C743100C7E4397,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.729{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 11241100x800000000000000094587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.647{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\06F0B55C3AF4DFB3B537590DB9EEFDB14E4248742023-01-17 10:35:19.646 11241100x800000000000000094586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.616{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CFC118B04E666456CA7F635CD3C8EF1A950A8DA12023-01-17 10:35:19.616 23542300x800000000000000094585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.582{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journalMD5=880CE07A339DFB221BB6A8C23BDE0B59,SHA256=F1795B6CFF94FE98FB4A82BD825D03A07B7B38387515280682EC5AA731177AA9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.576{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journal2023-01-17 10:35:19.575 11241100x800000000000000094583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.526{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.526{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972516490B67438B89F12001803BCD40,SHA256=51DE3F01B9C0920FE2A7E6F87A6CB6E7CB66A9D585BA4A0AA0BDCCED2C372245,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.525{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000094580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.524{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D3B9FF3E8CF01D719B84DB552B1C814,SHA256=2770B6D77DBDF61295CA584F345ACE69FECCC3CE1A383A7687C13DAFC13C916B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.461{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DDA5919CCBF354E69267B9AC7782295D20C2865D2023-01-17 10:35:19.460 10341000x800000000000000094578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.441{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.440{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.437{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 354300x800000000000000094575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.392{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50953- 354300x800000000000000094574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.390{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49154- 354300x800000000000000094573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.372{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49613-false142.250.190.138ord37s36-in-f10.1e100.net443https 354300x800000000000000094572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.362{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49614-false10.0.1.12-8000- 354300x800000000000000094571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.324{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61107-false142.250.190.98ord37s35-in-f2.1e100.net443https 354300x800000000000000094570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:17.209{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55231- 10341000x800000000000000094569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.395{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.396{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000094567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.395{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.395{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000094565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.393{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000094564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.391{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000094563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.391{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000094562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.391{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000094561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.390{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000094560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.390{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000094559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:19.386{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-10C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000094558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:19.386{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-10C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000094557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.385{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000094556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.384{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000094555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.384{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000094554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.371{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.367{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000094552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:19.367{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.6569790350490893637C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000094551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:19.366{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.6569790350490893637C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000094550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.366{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000094549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.366{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000094548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:19.365{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.14.87681963C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000094547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.362{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000094546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:19.361{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000094545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.357{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000094544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.356{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000094543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.356{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000094542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.356{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000094541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.355{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000094540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.349{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000094539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.336{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 11241100x800000000000000094538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.316{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:35:19.315 23542300x800000000000000069879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:20.202{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAC46D235815F1ADD17D446D621FA3F,SHA256=9E80B0392291FB5912CD7A7674F55F003413C34FF51BD75110794556D4C6C4E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.822{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49615-false104.18.21.229-443https 354300x800000000000000094737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.813{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52272- 354300x800000000000000094736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.799{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local52846- 11241100x800000000000000094735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.718{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000094734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.718{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E46858DBC14835F015C453DC9AE97ECE,SHA256=1097671379D716364D0B612F94EE5184FB3414BEA5589158161D163A9BC22427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.710{F172AD64-79E8-63C6-9002-00000000B002}69365756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.710{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000094731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.710{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000094730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.774{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52846- 734700x800000000000000094729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.571{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000094728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.571{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000094727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.570{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000094726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.569{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000094725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.568{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000094724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.567{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000094723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.567{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000094722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.567{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000094721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.566{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000094720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.558{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000094719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.558{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000094718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.558{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000094717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.558{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000094716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.558{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000094715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.557{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000094714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.557{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000094713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.557{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000094712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.557{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000094711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.557{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000094710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.557{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000094709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.557{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000094708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.557{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000094707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.556{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000094706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.556{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000094705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.556{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000094704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.556{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000094703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.555{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000094702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.555{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000094701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.555{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000094700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.555{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000094699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.554{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000094698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.554{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 11241100x800000000000000094697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.554{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000094696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.554{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000094695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.553{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 23542300x800000000000000094694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.553{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18864F145147276E0158B86A2F3DC7B,SHA256=76ACBA5F7D5EC9AF9786CA2CFD742640CD86F5AF98A717B8C05264BD6D09E094,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000094693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.553{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.553{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000094691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.552{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.551{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000094689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.551{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000094688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.550{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.550{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000094686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.550{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.550{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.549{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.549{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.549{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000094681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.549{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000094680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.549{F172AD64-79E8-63C6-9002-00000000B002}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000094679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.547{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.547{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD41B62554320456F367C771590DF59B,SHA256=3BEFDB08F17B4CA7F9866857312BB2BED81A4243F384CE2E8C5402B1D122F54F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.484{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9A709325ABF296A2A7CEFC3F33E3AF8EA5974DE72023-01-17 10:35:20.484 354300x800000000000000094676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.310{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53285- 11241100x800000000000000094675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.410{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BD751F9FB7670DCBC1B4F6457900D931D1B786C62023-01-17 10:35:20.410 11241100x800000000000000094674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.335{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0255BF6DDDB8520711F2A567E9FE68AE943396732023-01-17 10:35:20.335 22542200x800000000000000094673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.092{F172AD64-7935-63C6-6402-00000000B002}2296sourceforge.net02606:4700::6812:a80;2606:4700::6812:b80;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000094672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.076{F172AD64-7935-63C6-6402-00000000B002}2296sourceforge.net0104.18.11.128;104.18.10.128;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000094671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.074{F172AD64-7935-63C6-6402-00000000B002}2296sourceforge.net0::ffff:104.18.10.128;::ffff:104.18.11.128;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000094670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.699{F172AD64-7935-63C6-6402-00000000B002}2296prwebsecure.sourceforge.io.cdn.cloudflare.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000094669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.686{F172AD64-7935-63C6-6402-00000000B002}2296prwebsecure.sourceforge.io.cdn.cloudflare.net0104.18.20.229;104.18.21.229;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000094668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.685{F172AD64-7935-63C6-6402-00000000B002}2296processhacker.sourceforge.io0type: 5 prwebsecure.sourceforge.io.cdn.cloudflare.net;::ffff:104.18.21.229;::ffff:104.18.20.229;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000094667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.323{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000094666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.323{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 22542200x800000000000000094665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.266{F172AD64-7935-63C6-6402-00000000B002}2296play.google.com02607:f8b0:4009:802::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000094664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.265{F172AD64-7935-63C6-6402-00000000B002}2296play.google.com0172.217.2.46;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000094663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.323{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 22542200x800000000000000094662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:18.264{F172AD64-7935-63C6-6402-00000000B002}2296play.google.com0::ffff:172.217.2.46;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000094661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.266{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8BCAD51B418426A60E14D11A34AF81AEC33DDA392023-01-17 10:35:20.266 11241100x800000000000000094660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.226{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B63C74E4FE6F1FDC8C8C5AB01CF99AAB99EDE9082023-01-17 10:35:20.225 10341000x800000000000000094659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.170{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000094658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.136{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EC0D6E59BF53014718A212B0DF82426FEC25E1092023-01-17 10:35:20.136 734700x800000000000000094657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.132{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000094656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.133{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000094655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.131{F172AD64-79E7-63C6-8F02-00000000B002}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000094654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.116{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5A490562652237B314B4F3F42F32184A808719282023-01-17 10:35:20.116 11241100x800000000000000094653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.115{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\873280C1281F495081D56B0C123F83C3955D001B2023-01-17 10:35:20.115 11241100x800000000000000094652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.110{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EE974F7ED132F534D9DC089EE28130DCC9B131CF2023-01-17 10:35:20.110 734700x800000000000000094651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.453{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 11241100x800000000000000094650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C1AA857D2968592BD816B22D3B363FB20AD558B32023-01-17 10:35:20.104 734700x800000000000000094649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.446{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000094648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.435{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000094647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.433{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 11241100x800000000000000094646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.084{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8844DC09287B10F4FA4456EE7061ADD2B3BAA3E82023-01-17 10:35:20.084 11241100x800000000000000094645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.083{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BAE212F82792E6597BD0EE7E2981AFF7DF1343462023-01-17 10:35:20.083 734700x800000000000000094644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.370{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000094643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.336{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000094642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.335{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 11241100x800000000000000094641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.026{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\254A7BF90C9BDC1070EF0432931B3C28DFE7AB352023-01-17 10:35:20.026 734700x800000000000000094640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.332{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 10341000x800000000000000094639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.019{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7942-63C6-7202-00000000B002}932C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.013{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 734700x800000000000000094929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.890{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000094928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.890{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 23542300x800000000000000069880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:21.282{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBA131CE17BC212870868069ACE4882,SHA256=F6A8AEA9206FCC43807BB36BBB906DDD74363ECC1F046A9D00BB2803AF5A450D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000094927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.890{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000094926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.743{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000094925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.743{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000094924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.743{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000094923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.741{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000094922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.741{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000094921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.736{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000094920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.736{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000094919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.736{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000094918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.733{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000094917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.732{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000094916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.732{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000094915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.732{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000094914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.732{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000094913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.731{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000094912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.731{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000094911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.731{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000094910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.730{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000094909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.730{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000094908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.730{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000094907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.730{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000094906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.730{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000094905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.730{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000094904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000094903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000094902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000094900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000094899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000094898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000094897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000094896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.729{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000094895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.728{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000094894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.728{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000094893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.728{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000094892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.728{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000094891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.728{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000094890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.728{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000094889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.727{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000094888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.727{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000094887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.727{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000094886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.726{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.726{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000094884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.725{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000094883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.725{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.725{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000094881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.725{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.724{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.724{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.724{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.724{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000094876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.723{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000094875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.723{F172AD64-79E9-63C6-9202-00000000B002}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000094874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.604{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49621-false142.251.165.155rg-in-f155.1e100.net443https 354300x800000000000000094873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.575{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52172- 354300x800000000000000094872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.575{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55098- 354300x800000000000000094871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.573{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52815- 23542300x800000000000000094870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.650{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1DE49CC586FE8EF01CFCEDC085C21156,SHA256=E59800E823F529FDE5297670C4385B99AD351FAB73283A55840754BE990A9770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.572{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.572{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000094867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.572{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000094866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.523{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.523{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA8D13134DB82FE0BE733986411C698,SHA256=F8CA3F637F1BE46F0FC25EADED1C05C58E5855B027E382BC6036C524E0201AC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.472{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49620-false172.217.0.174mia09s16-in-f14.1e100.net443https 354300x800000000000000094863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.387{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local51931-false104.18.10.128-443https 354300x800000000000000094862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.367{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51930- 354300x800000000000000094861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.366{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55016- 354300x800000000000000094860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.323{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61111-false142.251.32.8ord38s33-in-f8.1e100.net443https 354300x800000000000000094859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.311{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61110- 354300x800000000000000094858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.311{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61109- 11241100x800000000000000094857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.242{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.242{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73F874C28CA63AAFEE6F76720583226,SHA256=769148B9AC2A2451A3F60901827E0B9FB85652A3D1F0448B686DF6405B968529,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.256{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49618-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000094854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49619-false72.21.91.29-80http 354300x800000000000000094853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.213{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49617-false104.18.10.128-443https 354300x800000000000000094852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.204{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61829- 354300x800000000000000094851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.203{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52506- 354300x800000000000000094850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.198{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local50878- 354300x800000000000000094849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.194{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49616-false142.251.32.8ord38s33-in-f8.1e100.net443https 354300x800000000000000094848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.177{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65310- 354300x800000000000000094847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.174{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61894- 354300x800000000000000094846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.171{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50878- 354300x800000000000000094845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.133{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61108-false104.18.21.229-443https 734700x800000000000000094844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.094{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000094843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.094{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 11241100x800000000000000094842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.094{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.094{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C71C7EB9A603D89F9B5CE93C611DC93,SHA256=0715B667D0031047758A08DCD2B8D7CA647733B6AEDAEE09D0C6E854579D92FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000094840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.090{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.090{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.086{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000094837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.086{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000094836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.086{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000094835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.082{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000094834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.078{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.078{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.078{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000094831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.078{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000094830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.078{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000094829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.074{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000094828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.074{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000094827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.074{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000094826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.074{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000094825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:21.070{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-11C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000094824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:21.070{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-11C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000094823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.070{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000094822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.070{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000094821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.070{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000094820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.056{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.056{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000094818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.056{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000094817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:21.055{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.9853993632592999680C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000094816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:21.055{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.9853993632592999680C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000094815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.055{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000094814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.055{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000094813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:21.054{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.15.22815413C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000094812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.051{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000094811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:21.050{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000094810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.046{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000094809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.046{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000094808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.045{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000094807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.045{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000094806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.045{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000094805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.044{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000094804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.044{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000094803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.044{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000094802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.043{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000094801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.043{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000094800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.043{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000094799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.041{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000094798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.040{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000094797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.040{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000094796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.040{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000094795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000094794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000094793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000094792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000094791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000094790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000094789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000094787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.036{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000094786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.035{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000094785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.034{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000094784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.033{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000094783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.033{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000094782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.032{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000094781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.032{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000094780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.031{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000094779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.031{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000094778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.030{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000094777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.029{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000094776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.029{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000094775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.029{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.028{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000094773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.028{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.023{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.023{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.022{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.022{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.022{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000094767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000094766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.022{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.15.228154138\240851340" -childID 12 -isForBrowser -prefsHandle 9192 -prefMapHandle 9264 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fbf181-2fcc-48d4-812f-5f516b452006} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 8992 17932bf9258 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000094765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.018{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.014{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.014{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.014{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.014{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.014{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.014{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:21.014{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000094739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:21.014{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.15.22815413C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000069882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:22.607{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CFF687FA4B17E3F3AF83C30C503719E,SHA256=C576876C502D3DC3C5CE6A98F15721D6C9ED73BBA25798EEBD0910474EC4F134,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\usage-journal2023-01-17 10:35:22.997 11241100x800000000000000094945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journal2023-01-17 10:35:22.997 11241100x800000000000000094944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.765{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.765{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63920028BCE849054ADD25BEBE607C62,SHA256=C72A4BF030FF5B8E78D12831F218FD5AF4EAD6E8B23EB04CD0B7BF3D1AE2B774,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000094942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:19.690{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local52173-false142.251.165.155rg-in-f155.1e100.net443https 10341000x800000000000000094941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.327{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000094940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.327{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000094939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.327{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000094938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.233{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A7E3EC31793F40C46BD07ADA1820E28FD62C123B2023-01-17 10:35:22.233 11241100x800000000000000094937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.233{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BBC55D3923D30D42EADC8399BA708793EECA4C4B2023-01-17 10:35:22.233 11241100x800000000000000094936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.232{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3F871A04B51765E1B1E7FE3E4307BBF608E7FBFF2023-01-17 10:35:22.232 11241100x800000000000000094935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.232{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\67FA364673709B2531102838492206F0C3153D8C2023-01-17 10:32:38.593 11241100x800000000000000094934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.231{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E83CD15579A8C5413EB9230549F8A32509484242023-01-17 10:32:34.701 23542300x800000000000000094933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.231{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\21935MD5=B8AF68BA033684595835565DF14CD28F,SHA256=E4CB5B4F93D48F6509E572BE4924641C47CBE28D86C4790E688031B62F98D5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000094932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.230{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\4934MD5=B76DDC89CA77E46710D093FF8E52EE5D,SHA256=A329A9F17E9C40C705FBE1432E19EF6446B5D66D6F2551C513C694A0E2670E6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.141{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.141{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971B655765160045BE0A2A10B06D3245,SHA256=DCBA4784DF900B3F63922B2366EFD719478ECCAE9C3F32A8583B666D714D2328,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:20.112{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50373-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:23.680{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DF3E389A9A618DB8A7DEBD4F49F6F1,SHA256=A42239A5BE47DDE5BF6ECC2A0A7F6A5367C48F3C43F9462B365178C0D533C20D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.952{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2794A86112A1C926F0B8DF2E705937D18737CF742023-01-17 10:35:23.952 11241100x800000000000000094980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.952{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\38758B42A194F13863161686C6EB1BC48612744A2023-01-17 10:35:23.952 11241100x800000000000000094979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.952{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F12438933DCAA5300F771BB2C408A2B6AB6F22AA2023-01-17 10:35:23.952 11241100x800000000000000094978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.949{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9CF0496EDCC216256DA7573FCC77D422FD2C06292023-01-17 10:35:23.949 11241100x800000000000000094977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.949{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\83CE10494D3E58C0F03524C715C16552638CCFFA2023-01-17 10:35:23.945 11241100x800000000000000094976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\51010D7CD9FF2FB1135EFFEC1B4F978A64EBAC8F2023-01-17 10:35:23.945 11241100x800000000000000094975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.943{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\91FE03868409D2D2046E144BBE539BB41501E1E42023-01-17 10:35:23.943 11241100x800000000000000094974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.939{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9E80E7BF153B7A9120488CEC1814823EDE1751012023-01-17 10:35:23.939 11241100x800000000000000094973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7224EA6F4C55B6C03093F8000BE8458D9B1449002023-01-17 10:35:23.927 11241100x800000000000000094972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.904{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\77037F866A514A51DE3CDA0A0143397F179180ED2023-01-17 10:35:23.904 11241100x800000000000000094971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.904{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CABE41338C1E611E6CAF97D280313A8F6E6856902023-01-17 10:35:23.904 11241100x800000000000000094970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.904{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DEFF1F5408B99CB0DA50CE52100321351B67E6AB2023-01-17 10:35:23.904 11241100x800000000000000094969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.904{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EB73E7FF0DA31744A2FBB64A65A5138D85179E372023-01-17 10:35:23.904 11241100x800000000000000094968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.904{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\395C04ECA6B6583B74448CB7A509346C937E585C2023-01-17 10:35:23.904 11241100x800000000000000094967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\817CC1F78F6A9D037F170EFA3F01E90349CE9D6F2023-01-17 10:35:23.900 11241100x800000000000000094966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A02F48254D57853564F86922DCD9CD29E75453F52023-01-17 10:35:23.900 11241100x800000000000000094965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F0C1F55C84FD47BBF0A35003D0E477E1ECED695F2023-01-17 10:35:23.900 11241100x800000000000000094964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.897{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FC3C8350E0607297C4C5A84E133F6F4B66CC97EF2023-01-17 10:35:23.897 11241100x800000000000000094963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.890{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\12484E758A4F210277B716BDFA5210D2FDF7A18C2023-01-17 10:35:23.890 11241100x800000000000000094962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.885{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BBE2CA9254EC38F15C713F5D7D21D7822258AB9B2023-01-17 10:35:23.885 11241100x800000000000000094961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.885{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F1C3DF2AAF61CEB425BDD139677CB4C14482245F2023-01-17 10:35:23.885 11241100x800000000000000094960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.804{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000094959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.804{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E336E3AB367F4C96A97F054C56099A,SHA256=EF9109C5BB0F4FE20134266B6BBE3217A70BA09E2222933FA94F3175F4C14685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:23.063{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-053MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\70D4B933DB0A168E9C9E8BF4AC9C05B6553086A52023-01-17 10:35:23.736 10341000x800000000000000094957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.728{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.722{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 11241100x800000000000000094955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.722{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\index.tmp2023-01-17 10:35:23.721 23542300x800000000000000094954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.481{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journalMD5=060A7A8A8F53EC9758F54057B155C8C3,SHA256=553B01CA1C5F29B632C0B7FEA7505C13A41F802DEC96652FFBF12CB2FE545C36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.473{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\permissions.sqlite-journal2023-01-17 10:35:19.575 354300x800000000000000094952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.769{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49622-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000094951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.769{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49622-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000094950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:20.349{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52046- 23542300x800000000000000094949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.005{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=9208FCEF1490158147DE9B5DDD7DF0DA,SHA256=6FB2F49F26F3E65507F14B2578B19159C0C0CBE7448ABBC7EBCA3A07CB861C6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000094948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\usage2023-01-17 10:32:39.627 23542300x800000000000000094947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.997{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++www.google.com\ls\usageMD5=5F933F74D21B6B8C8F9DAA8E4C730DAE,SHA256=6943A69CA2C9EFE83D55023A4A786E33BF2C213E1ECD9D4E48014C12FB094F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:24.747{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEE2E7CC839646CA46B9AAD6590FA5C,SHA256=FEA203FF4F6CE1923CA235CCF26A529CBAC33F730AC93409618BBC3930A3DCA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:24.073{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.991{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E9E8B02B67A171FB28ADD328DB91E7741763C89B2023-01-17 10:35:24.991 23542300x800000000000000095494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.974{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=ECDF007C1FB6E97AD75BFE91B5AD2BC0,SHA256=90BAFDD3F002D3AE21AE4834791E7D67DE6C23335A47E991A9DE6FACE6EA7C1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.961{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 354300x800000000000000095492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.020{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local55682-false104.18.11.25-443https 354300x800000000000000095491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.990{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49636-false72.21.91.29-80http 354300x800000000000000095490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49635-false72.21.91.29-80http 354300x800000000000000095489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.987{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49634-false72.21.91.29-80http 354300x800000000000000095488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.985{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49633-false72.21.91.29-80http 354300x800000000000000095487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49628-false104.18.11.25-443https 354300x800000000000000095486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49630-false104.18.11.25-443https 354300x800000000000000095485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49626-false104.18.11.25-443https 354300x800000000000000095484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49624-false104.16.56.101-443https 354300x800000000000000095483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.922{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49632-false104.18.11.25-443https 354300x800000000000000095482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.922{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49625-false104.18.11.25-443https 354300x800000000000000095481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.921{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49631-false104.18.11.25-443https 354300x800000000000000095480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.920{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49629-false104.18.11.25-443https 354300x800000000000000095479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.920{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49627-false104.18.11.25-443https 354300x800000000000000095478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.912{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55681- 354300x800000000000000095477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.911{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55863- 354300x800000000000000095476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.910{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62136- 354300x800000000000000095475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.909{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65058- 354300x800000000000000095474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.906{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52532- 354300x800000000000000095473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.887{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51109- 11241100x800000000000000095472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.932{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5CBEB5E29B9DC7ED41F1618DF930F874881FCEC92023-01-17 10:35:24.931 10341000x800000000000000095471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.932{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.931{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.931{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.931{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.931{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.931{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000095465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D4A8BCC15093D1A6195195B88E781A9EEDAF80F2023-01-17 10:35:24.923 734700x800000000000000095464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.912{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000095463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.911{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000095462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.911{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000095461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.910{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000095460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.909{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000095459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.908{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000095458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.908{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000095457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.908{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 11241100x800000000000000095456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.903{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000095455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.903{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F926059F728BDE9A60DF6E134C14B181,SHA256=74E8DEBE8265F2938F278883565B3B04697570442562D174665B8BCCE0F949C0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000095454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.899{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 10341000x800000000000000095453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.899{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.899{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.899{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000095450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.899{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x800000000000000095449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.899{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.898{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.898{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000095446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.898{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000095445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.897{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000095444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.896{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000095443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.896{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000095442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.896{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000095441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.895{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.895{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000095439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.895{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.895{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.895{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000095436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.895{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000095435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.895{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000095434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.894{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000095433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.894{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000095432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.894{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000095431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.894{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.894{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000095429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.893{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000095428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.893{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000095427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.893{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000095426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.893{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000095425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.893{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000095424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.892{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000095423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.892{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000095422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.892{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000095421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.891{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.890{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000095419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.890{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000095418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.889{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.889{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000095416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.889{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.889{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.888{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.888{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.888{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000095411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.888{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000095410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.888{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000095409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.879{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.879{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000095407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.879{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000095406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.859{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000095405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.858{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000095404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.855{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.854{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.849{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000095401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.847{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000095400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.846{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000095399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.844{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000095398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.843{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000095397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.842{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000095396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.842{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.842{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.841{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000095393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.839{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x800000000000000095392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.839{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.838{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.837{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000095389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.836{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000095388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.836{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000095387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.835{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000095386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.835{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000095385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.833{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000095384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.831{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000095383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.830{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 18141800x800000000000000095382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.830{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-14C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000095381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.830{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-14C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.828{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000095379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.828{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000095378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.827{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000095377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.827{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000095376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.827{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000095375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.826{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000095374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.825{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.825{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.824{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x800000000000000095371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.823{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.822{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x800000000000000095369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.821{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.820{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000095367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.819{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000095366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.818{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000095365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.818{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000095364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.817{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000095363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.816{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000095362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.814{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000095361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.814{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 18141800x800000000000000095360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.812{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-13C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000095359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.812{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-13C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000095358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.810{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.810{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000095356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.810{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000095355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.809{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000095354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.809{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000095353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.809{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x800000000000000095352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.809{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.808{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.808{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000095349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.808{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000095348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.808{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.3040901566437348424C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000095347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.807{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.3040901566437348424C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.807{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000095345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.805{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000095344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.805{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.18.31534875C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.804{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000095342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.802{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000095341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.801{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000095340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.801{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000095339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.801{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000095338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.800{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000095337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.799{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000095336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.799{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000095335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.795{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-12C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000095334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.795{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-12C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000095333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.794{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.794{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000095331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.793{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000095330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.793{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000095329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.793{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000095328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.793{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000095327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.792{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000095326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.792{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000095325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.792{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000095324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.792{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000095323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.791{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000095322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.791{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000095321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.791{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000095320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.790{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 18141800x800000000000000095319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.790{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10273717645055705189C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000095318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.790{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10273717645055705189C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.790{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000095316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.789{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000095315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.789{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 10341000x800000000000000095314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.789{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000095313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.787{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.17.97292881C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.787{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000095311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.785{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000095310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.785{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000095309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.784{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.784{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000095307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.783{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000095306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.783{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000095305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.782{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000095304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.780{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x800000000000000095303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.780{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000095302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.780{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.779{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.779{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.779{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.778{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000095297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.776{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.776{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000095295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.776{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000095294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.775{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000095293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.774{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000095292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.774{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000095291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.774{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 18141800x800000000000000095290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.774{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.5579848230734247914C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000095289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.774{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.5579848230734247914C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.773{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000095287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.773{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000095286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.773{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000095285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.773{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000095284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.773{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x800000000000000095283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.772{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.772{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 18141800x800000000000000095281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.772{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.16.157295493C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.772{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000095279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.772{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000095278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.772{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000095277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.771{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000095276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.771{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000095275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.771{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000095274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.771{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000095273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.770{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000095272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.770{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000095271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.770{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000095270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.770{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000095269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.769{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000095268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.768{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000095267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.768{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000095266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.767{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000095265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.767{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000095264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.767{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.767{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.767{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000095261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.767{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.767{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000095259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:24.767{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.767{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000095257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.766{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000095256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.766{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000095255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.765{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 10341000x800000000000000095254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.764{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.764{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.764{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x800000000000000095251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.764{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.764{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.763{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.763{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.762{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.762{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000095245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.762{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000095244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.761{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000095243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.762{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.18.315348759\888579479" -childID 15 -isForBrowser -prefsHandle 7824 -prefMapHandle 7820 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {caca0162-874a-489e-8fc2-05f9a7768a1f} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 8068 17933ce6c58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000095242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.761{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000095241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.760{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000095240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.760{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000095239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.760{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x800000000000000095238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.760{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.760{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.760{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x800000000000000095235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.760{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.759{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.759{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x800000000000000095232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.759{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.759{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x800000000000000095230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.759{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.759{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.759{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x800000000000000095227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x800000000000000095225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000095223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 10341000x800000000000000095221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.758{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000095218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 10341000x800000000000000095217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000095213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 10341000x800000000000000095212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.757{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.756{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000095208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.756{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.755{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.755{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x800000000000000095205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.755{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.755{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.755{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.755{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.754{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.754{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000095199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.754{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.754{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000095197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.753{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000095196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.753{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000095195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.753{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000095194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.753{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.752{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000095192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.752{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 17141700x800000000000000095191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.752{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.18.31534875C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.751{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000095189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.751{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000095188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.751{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000095187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.751{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 10341000x800000000000000095186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.750{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000095185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.750{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.750{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000095183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.750{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.749{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000095181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.748{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.748{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.747{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.747{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000095177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.745{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.745{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.744{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.744{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.744{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x800000000000000095172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.744{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000095171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.744{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x800000000000000095170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.744{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000095169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.744{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.17.972928818\1038046930" -childID 14 -isForBrowser -prefsHandle 8044 -prefMapHandle 8040 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a406a20-9369-4a38-9114-2de1e3feedf6} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7964 17933ce6058 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000095168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.743{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.743{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000095162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x800000000000000095157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.742{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x800000000000000095153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000095149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000095145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.740{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.740{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.740{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.740{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.740{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.740{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 10341000x800000000000000095138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.740{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.739{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.740{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000095135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.738{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 17141700x800000000000000095134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.738{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.17.97292881C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.738{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000095132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.737{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000095131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.737{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.737{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000095129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.736{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.731{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.731{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.731{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.730{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.730{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000095123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.730{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000095122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.730{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.16.1572954938\303475417" -childID 13 -isForBrowser -prefsHandle 4956 -prefMapHandle 4968 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41912a4d-fd2d-4d53-9cbe-f76b33e4821f} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 2204 17933ce5a58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000095121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.729{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.729{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.729{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.729{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.725{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.725{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.725{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.724{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000095095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:24.723{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.16.157295493C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000095094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:22.616{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49623-false104.18.10.128-443https 11241100x800000000000000095093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.669{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9BD746F7916437B79EABA459D5A0A2196AC0787E2023-01-17 10:35:24.669 11241100x800000000000000095092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.628{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B6CC53B0972D295D54F95FA82A5838EC5616B0262023-01-17 10:35:24.628 11241100x800000000000000095091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.540{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\95016BC4AAA584E1F50915AE9D7D4873655C616F2023-01-17 10:35:24.539 10341000x800000000000000095090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.513{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 11241100x800000000000000095089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.494{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1886ABAEC1EE77714D16B137EDE5E8A9550DBB672023-01-17 10:35:24.494 11241100x800000000000000095088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.493{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\45A584244A044E592FC518BEE2FD1CA865CC8F732023-01-17 10:35:24.493 22542200x800000000000000095087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.380{F172AD64-7935-63C6-6402-00000000B002}2296pbid.pro-market.net02600:1901:0:8eee::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.379{F172AD64-7935-63C6-6402-00000000B002}2296pbid.pro-market.net0107.178.240.89;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.378{F172AD64-7935-63C6-6402-00000000B002}2296pbid.pro-market.net0::ffff:107.178.240.89;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.294{F172AD64-7935-63C6-6402-00000000B002}2296a1944.d.akamai.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.281{F172AD64-7935-63C6-6402-00000000B002}2296a1944.d.akamai.net023.220.206.73;23.220.206.47;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.280{F172AD64-7935-63C6-6402-00000000B002}2296ads.pro-market.net0type: 5 ads.pro-market.net.akamaized.net;type: 5 a1944.d.akamai.net;::ffff:23.220.206.47;::ffff:23.220.206.73;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.279{F172AD64-7935-63C6-6402-00000000B002}2296a1916.dscg2.akamai.net02600:140a:e000::173d:f691;2600:140a:e000::173d:f6a3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.273{F172AD64-7935-63C6-6402-00000000B002}2296tag.crsspxl.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.271{F172AD64-7935-63C6-6402-00000000B002}2296tag.crsspxl.com034.232.140.51;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000095078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.490{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=C595DB23CBF38EF27747C62BEA142861,SHA256=F5156FBBA881732BD2D023E004B2C0D6E573B2A45161573FBE2B0575445070FF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000095077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.270{F172AD64-7935-63C6-6402-00000000B002}2296tag.crsspxl.com0::ffff:34.232.140.51;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.268{F172AD64-7935-63C6-6402-00000000B002}2296a1916.dscg2.akamai.net023.33.22.145;23.33.22.134;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.267{F172AD64-7935-63C6-6402-00000000B002}2296snap.licdn.com0type: 5 od.linkedin.edgesuite.net;type: 5 a1916.dscg2.akamai.net;::ffff:23.33.22.134;::ffff:23.33.22.145;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.240{F172AD64-7935-63C6-6402-00000000B002}2296c.sf-syn.com02606:4700::6812:d5c;2606:4700::6812:c5c;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.234{F172AD64-7935-63C6-6402-00000000B002}2296analytics.slashdotmedia.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-7935-63C6-6402-00000000B002}2296c.sf-syn.com0104.18.12.92;104.18.13.92;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.217{F172AD64-7935-63C6-6402-00000000B002}2296c.sf-syn.com0::ffff:104.18.13.92;::ffff:104.18.12.92;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.209{F172AD64-7935-63C6-6402-00000000B002}2296analytics.slashdotmedia.com0216.105.38.9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.208{F172AD64-7935-63C6-6402-00000000B002}2296analytics.slashdotmedia.com0::ffff:216.105.38.9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.175{F172AD64-7935-63C6-6402-00000000B002}2296ad-delivery.net02606:4700:20::ac43:4513;2606:4700:20::681a:346;2606:4700:20::681a:246;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.168{F172AD64-7935-63C6-6402-00000000B002}2296ad-delivery.net0104.26.2.70;172.67.69.19;104.26.3.70;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.167{F172AD64-7935-63C6-6402-00000000B002}2296ad-delivery.net0::ffff:104.26.3.70;::ffff:104.26.2.70;::ffff:172.67.69.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.115{F172AD64-7935-63C6-6402-00000000B002}2296nace.vap.lijit.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.113{F172AD64-7935-63C6-6402-00000000B002}2296nace.vap.lijit.com069.175.41.15;69.175.41.32;69.175.41.2;69.175.41.44;69.175.41.79;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.113{F172AD64-7935-63C6-6402-00000000B002}2296gob-njr3.pubmnet.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.112{F172AD64-7935-63C6-6402-00000000B002}2296ap.lijit.com0type: 5 vap.lijit.com;type: 5 nace.vap.lijit.com;::ffff:69.175.41.79;::ffff:69.175.41.15;::ffff:69.175.41.32;::ffff:69.175.41.2;::ffff:69.175.41.44;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.111{F172AD64-7935-63C6-6402-00000000B002}2296gob-njr3.pubmnet.com0104.36.115.111;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.952{F172AD64-7935-63C6-6402-00000000B002}2296btloader.com02606:4700:20::ac43:4686;2606:4700:20::681a:78b;2606:4700:20::681a:68b;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.945{F172AD64-7935-63C6-6402-00000000B002}2296btloader.com0104.26.6.139;104.26.7.139;172.67.70.134;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.944{F172AD64-7935-63C6-6402-00000000B002}2296btloader.com0::ffff:172.67.70.134;::ffff:104.26.6.139;::ffff:104.26.7.139;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.801{F172AD64-7935-63C6-6402-00000000B002}2296a.fsdn.com.cdn.cloudflare.net02606:4700::6812:b19;2606:4700::6812:a19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.785{F172AD64-7935-63C6-6402-00000000B002}2296static.cloudflareinsights.com02606:4700::6810:3965;2606:4700::6810:3865;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.784{F172AD64-7935-63C6-6402-00000000B002}2296a.fsdn.com.cdn.cloudflare.net0104.18.10.25;104.18.11.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.782{F172AD64-7935-63C6-6402-00000000B002}2296a.fsdn.com0type: 5 a.fsdn.com.cdn.cloudflare.net;::ffff:104.18.11.25;::ffff:104.18.10.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.782{F172AD64-7935-63C6-6402-00000000B002}2296static.cloudflareinsights.com0104.16.57.101;104.16.56.101;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.781{F172AD64-7935-63C6-6402-00000000B002}2296static.cloudflareinsights.com0::ffff:104.16.56.101;::ffff:104.16.57.101;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000095051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.477{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 23542300x800000000000000095050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.469{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=CEC6366FAE84B5D2CED67B07C36CEEB6,SHA256=3D398D99D87A51DAA694F258D950F54C8B3EB45C57BD64CC3ED994928ED836A3,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000095049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.460{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000095048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.459{F172AD64-79EC-63C6-9302-00000000B002}69204172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.459{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 11241100x800000000000000095046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.458{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 734700x800000000000000095045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.458{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000095044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.450{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FE48B12407206923D7BDCF03BC0DDB276F7D45FD2023-01-17 10:35:24.450 11241100x800000000000000095043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.448{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\697BE644D2BB64233A5E332D16AE78922C5526252023-01-17 10:35:24.448 11241100x800000000000000095042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.404{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\dea920aaec6d062c2023-01-17 10:35:24.404 11241100x800000000000000095041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.373{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3CEF421BDE4781CDBC9AEFEBE107D896BCF621EA2023-01-17 10:35:24.373 11241100x800000000000000095040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.365{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000095039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.364{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8670B9F7283D6AA99C69F424103D3891,SHA256=EFBC95B17992E89A0C65DC6436653F50C426A1156230F772A75447520B65E216,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8B16EE5381C2202AF96465BFB1E4CD1396482D322023-01-17 10:35:24.358 10341000x800000000000000095037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.348{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9 11241100x800000000000000095036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.348{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C7E43BB0EA8CCC220D110C442838D2B70AC3B12E2023-01-17 10:35:24.347 11241100x800000000000000095035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.340{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FE7ED57C0BB890FB0322ACB8B8B830B12EDCCCF62023-01-17 10:35:24.339 23542300x800000000000000095034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.314{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=40577382D5DA3483517AB5D33CD51DB7,SHA256=2C68C843D10930B130DB4D5B6CACEEC6A65166235A5318E69A15C1FB2F9726AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.302{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 23542300x800000000000000095032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.241{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=C5F0FCE9767906DB5967854DE0AD90FB,SHA256=5F2E93335BEC8AFA91344A24F937F80BB93B23FB8766112B80CFBB8351285B3C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000095031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.237{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000095030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.237{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000095029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.236{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000095028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.235{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000095027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.234{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000095026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.233{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000095025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.233{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000095024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.232{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 11241100x800000000000000095023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.229{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 734700x800000000000000095022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000095021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000095020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000095019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000095018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000095017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000095016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000095015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000095014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000095011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000095010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.222{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000095008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000095007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000095006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000095005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000095004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000095002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000095001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000095000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000094999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000094998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000094997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000094996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000094995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000094994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000094993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.218{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000094992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.214{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000094991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.214{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000094990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.214{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.214{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.214{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.214{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.214{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000094985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.214{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000094984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.216{F172AD64-79EC-63C6-9302-00000000B002}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000094983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.210{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000094982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.022{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E2195B15E085550C47C77CCD6B686DD3700762982023-01-17 10:35:24.022 23542300x800000000000000069887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:25.937{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9185EF723E401615D403E8719C982C2A,SHA256=3DE3DA1D9F0A1F15255304E1DC8125317E7A39BE937EB354F8DFD71CF2B13B1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49675-false172.217.0.174mia09s16-in-f14.1e100.net443https 354300x800000000000000095702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49676-false142.250.190.34ord37s33-in-f2.1e100.net443https 354300x800000000000000095701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.035{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49662-false172.217.2.38atl14s78-in-f6.1e100.net443https 354300x800000000000000095700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.030{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49671-false34.232.140.51ec2-34-232-140-51.compute-1.amazonaws.com443https 354300x800000000000000095699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.030{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49667-false34.111.234.236236.234.111.34.bc.googleusercontent.com443https 354300x800000000000000095698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.028{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49663-false23.33.22.134a23-33-22-134.deploy.static.akamaitechnologies.com443https 354300x800000000000000095697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.911{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49381- 354300x800000000000000095696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.911{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63349- 354300x800000000000000095695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.908{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55474- 11241100x800000000000000095694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.923{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000095693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.923{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBD87BCDB5D596C0F4182A7F3389AEB,SHA256=0C526B595B34EF31B18C3DEF96AA485CF49E75BF820635AD0511D160FEA0E7B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.868{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\233C2BC88FA7883CD3CA4F8BE40CBA40CF2112692023-01-17 10:35:25.868 11241100x800000000000000095691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.823{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000095690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.822{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0EBBB97AE5568979465FEB1087DFFC9,SHA256=5CF4B1F659A13E4C65BBBDB9A8706DF452EEFE3FEF68F0329485386B3672C0AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.817{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000095688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.816{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D178CE4371BD2431FF0B1D3B8724B75,SHA256=E00454ED21FD664439692DF6599C14B7308990E5124E69526AFA6AE4C72B0ED2,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000095687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.743{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000095686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.743{F172AD64-79ED-63C6-9802-00000000B002}73847388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.736{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000095684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.735{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000095683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.714{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7B32380513110F504384AB589D3268149C6BB39C2023-01-17 10:35:25.714 10341000x800000000000000095682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.707{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+45a2cc6|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22 11241100x800000000000000095681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.592{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\767A7484066399B75E2135048750B869B2E0C6822023-01-17 10:35:25.592 734700x800000000000000095680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.577{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000095679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.576{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000095678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.576{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000095677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.575{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000095676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.573{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000095675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.573{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000095674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.573{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000095673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.572{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000095672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.566{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000095671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.566{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000095670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.566{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000095669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.566{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000095668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.565{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000095667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.565{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000095666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.565{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000095665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.565{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.565{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000095663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000095661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000095659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000095658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000095657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000095656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000095655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.564{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000095653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000095652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000095651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000095650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000095649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000095648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000095647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000095646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000095645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.563{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000095644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.562{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.561{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000095642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.561{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000095641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.560{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.560{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000095639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.560{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.560{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.560{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.560{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.559{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000095634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.559{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000095633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.559{F172AD64-79ED-63C6-9802-00000000B002}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000095632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BFC239390D73CE952C21C783E9975EC316436E9B2023-01-17 10:35:25.557 23542300x800000000000000095631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.532{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=3189B28E82610BAAB4957846E3F8003A,SHA256=7AF1867461E26785A593AD4FA41B1D1750347DC669A3911BAB0ADCBC121130F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 11241100x800000000000000095629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.517{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E37F93B4D9AF832991DE07529F18224C81C1D15B2023-01-17 10:35:25.516 23542300x800000000000000095628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.514{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=51BD19F21E06786A915C8788D7D10C8A,SHA256=8A34BDDF73DB71D14FE423824BDF45E2F551F9149D94FE937616EC90579D9092,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.504{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 23542300x800000000000000095626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.495{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=B1A3FB26016497182726B32DAA4ECCA5,SHA256=B121D1E292E4281DE577A70BFC42DAF6942C801B5E9A00658E683842BA2A0365,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000095625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.307{F172AD64-7935-63C6-6402-00000000B002}2296ps.eyeota.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.306{F172AD64-7935-63C6-6402-00000000B002}2296ps.eyeota.net052.55.144.0;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.306{F172AD64-7935-63C6-6402-00000000B002}2296dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.304{F172AD64-7935-63C6-6402-00000000B002}2296dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com054.81.162.140;52.6.206.33;54.175.190.79;3.213.8.144;18.213.92.15;54.84.113.212;3.210.144.93;34.233.34.86;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.304{F172AD64-7935-63C6-6402-00000000B002}2296ps.eyeota.net0::ffff:52.55.144.0;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.015{F172AD64-7935-63C6-6402-00000000B002}2296api.btloader.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.013{F172AD64-7935-63C6-6402-00000000B002}2296api.btloader.com0130.211.23.194;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.013{F172AD64-7935-63C6-6402-00000000B002}2296api.btloader.com0::ffff:130.211.23.194;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.995{F172AD64-7935-63C6-6402-00000000B002}2296d1ni990a184w7d.cloudfront.net02600:9000:24f7:b000:2:53b2:240:93a1;2600:9000:24f7:9c00:2:53b2:240:93a1;2600:9000:24f7:b800:2:53b2:240:93a1;2600:9000:24f7:7800:2:53b2:240:93a1;2600:9000:24f7:200:2:53b2:240:93a1;2600:9000:24f7:cc00:2:53b2:240:93a1;2600:9000:24f7:f800:2:53b2:240:93a1;2600:9000:24f7:4600:2:53b2:240:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.992{F172AD64-7935-63C6-6402-00000000B002}2296l-0005.l-msedge.net02620:1ec:21::14;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.991{F172AD64-7935-63C6-6402-00000000B002}2296l-0005.l-msedge.net013.107.42.14;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.990{F172AD64-7935-63C6-6402-00000000B002}2296d1ni990a184w7d.cloudfront.net0108.156.172.29;108.156.172.4;108.156.172.129;108.156.172.28;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.990{F172AD64-7935-63C6-6402-00000000B002}2296px.ads.linkedin.com0type: 5 www.linkedin.com;type: 5 www-linkedin-com.l-0005.l-msedge.net;type: 5 l-0005.l-msedge.net;::ffff:13.107.42.14;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.989{F172AD64-7935-63C6-6402-00000000B002}2296cdn.linkedin.oribi.io0type: 5 d1ni990a184w7d.cloudfront.net;::ffff:108.156.172.28;::ffff:108.156.172.29;::ffff:108.156.172.4;::ffff:108.156.172.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.422{F172AD64-7935-63C6-6402-00000000B002}2296ocsp.comodoca.com.cdn.cloudflare.net02606:4700:4400::6812:2044;2606:4700:4400::ac40:9bbc;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.421{F172AD64-7935-63C6-6402-00000000B002}2296ocsp.comodoca.com.cdn.cloudflare.net0104.18.32.68;172.64.155.188;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.393{F172AD64-7935-63C6-6402-00000000B002}2296r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;23.64.114.213;23.64.114.220;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.393{F172AD64-7935-63C6-6402-00000000B002}2296a1887.dscq.akamai.net023.64.114.220;23.64.114.213;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.392{F172AD64-7935-63C6-6402-00000000B002}2296r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:23.64.114.213;::ffff:23.64.114.220;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000095606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.482{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 354300x800000000000000095605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49661-false172.64.155.188-80http 354300x800000000000000095604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.549{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53092- 354300x800000000000000095603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.548{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55600- 354300x800000000000000095602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.531{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49660-false23.64.114.220a23-64-114-220.deploy.static.akamaitechnologies.com80http 354300x800000000000000095601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49659-false107.178.240.89-443https 354300x800000000000000095600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.518{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53601- 354300x800000000000000095599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.516{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local61110- 354300x800000000000000095598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.515{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local61741- 354300x800000000000000095597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.512{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local50319- 354300x800000000000000095596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.507{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50672- 354300x800000000000000095595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.506{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53003- 354300x800000000000000095594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.504{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53571- 354300x800000000000000095593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.493{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55455- 354300x800000000000000095592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.493{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61114- 354300x800000000000000095591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.492{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62211- 354300x800000000000000095590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.491{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61113- 354300x800000000000000095589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.491{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52306- 354300x800000000000000095588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.490{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51811- 354300x800000000000000095587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.489{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61741- 354300x800000000000000095586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.489{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50063- 354300x800000000000000095585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.486{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50319- 354300x800000000000000095584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.485{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64625- 354300x800000000000000095583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.485{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55727- 354300x800000000000000095582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.481{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55372- 354300x800000000000000095581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.481{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62010- 354300x800000000000000095580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.468{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61109-false104.18.13.92-443https 354300x800000000000000095579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.456{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49658-false192.124.249.24cloudproxy10024.sucuri.net80http 354300x800000000000000095578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.439{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49650-false216.105.38.9-443https 354300x800000000000000095577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.431{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local55735- 354300x800000000000000095576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.420{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49657-false23.220.206.47a23-220-206-47.deploy.static.akamaitechnologies.com443https 354300x800000000000000095575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.409{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52718- 354300x800000000000000095574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.405{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55735- 354300x800000000000000095573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.402{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51189- 354300x800000000000000095572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.398{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55406- 354300x800000000000000095571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.397{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52134- 354300x800000000000000095570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.395{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61899- 354300x800000000000000095569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.395{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53398- 354300x800000000000000095568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.394{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61804- 354300x800000000000000095567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.393{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50176- 354300x800000000000000095566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.383{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49653-false104.18.13.92-443https 354300x800000000000000095565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.377{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49656-false108.156.178.65server-108-156-178-65.cmh68.r.cloudfront.net80http 354300x800000000000000095564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.375{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49654-false108.156.178.146server-108-156-178-146.cmh68.r.cloudfront.net80http 354300x800000000000000095563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.375{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49655-false108.156.178.146server-108-156-178-146.cmh68.r.cloudfront.net80http 354300x800000000000000095562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.374{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49651-false108.156.178.146server-108-156-178-146.cmh68.r.cloudfront.net80http 354300x800000000000000095561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.374{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49652-false108.156.178.146server-108-156-178-146.cmh68.r.cloudfront.net80http 354300x800000000000000095560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.346{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54447- 354300x800000000000000095559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.337{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49649-false104.26.3.70-443https 354300x800000000000000095558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.337{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52441- 354300x800000000000000095557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.336{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52501- 354300x800000000000000095556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.336{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53251- 354300x800000000000000095555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.336{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49648-false104.26.3.70-443https 354300x800000000000000095554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.334{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55433- 354300x800000000000000095553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.323{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64208- 734700x800000000000000095552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.437{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 11241100x800000000000000095551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.341{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C58BCDB1D495C25CED2CF9F924AB9932E2E26DFE2023-01-17 10:35:25.340 11241100x800000000000000095550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.307{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3291C455437D276CD7EA32ED46435D5216C4365A2023-01-17 10:35:25.307 11241100x800000000000000095549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.241{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000095548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.241{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2325C2ED4594BA60CAB22B7BEE55A1F4,SHA256=CFE289D378EFC4377D006B96A80C2E41D2D3D6967F46EAE58CCF4D56CB384E2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000095547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.313{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49702- 354300x800000000000000095546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.298{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63963- 354300x800000000000000095545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.298{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53425- 354300x800000000000000095544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.296{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61166- 354300x800000000000000095543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.291{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54900- 354300x800000000000000095542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.289{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61300- 354300x800000000000000095541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.284{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49647-false10.0.1.12-8000- 354300x800000000000000095540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.272{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49646-false8.43.72.62-443https 354300x800000000000000095539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49645-false69.175.41.79sovrn-193627-chi03-placeholder443https 354300x800000000000000095538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.256{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49644-false104.36.115.111-443https 354300x800000000000000095537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.252{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49643-false35.174.162.157ec2-35-174-162-157.compute-1.amazonaws.com443https 354300x800000000000000095536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.252{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49641-false35.174.162.157ec2-35-174-162-157.compute-1.amazonaws.com443https 354300x800000000000000095535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.252{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49642-false35.174.162.157ec2-35-174-162-157.compute-1.amazonaws.com443https 354300x800000000000000095534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.244{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55404- 354300x800000000000000095533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.243{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53075- 354300x800000000000000095532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.242{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49640-false35.174.162.157ec2-35-174-162-157.compute-1.amazonaws.com443https 354300x800000000000000095531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.241{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54323- 354300x800000000000000095530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.241{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53054- 354300x800000000000000095529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.240{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49639-false35.174.162.157ec2-35-174-162-157.compute-1.amazonaws.com443https 354300x800000000000000095528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.240{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51372- 354300x800000000000000095527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.239{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49638-false68.67.179.89565.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net443https 354300x800000000000000095526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.238{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50073- 354300x800000000000000095525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.236{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55536- 354300x800000000000000095524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.235{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49821- 354300x800000000000000095523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.231{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54718- 354300x800000000000000095522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.230{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61341- 354300x800000000000000095521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.225{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62514- 354300x800000000000000095520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.224{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53101- 354300x800000000000000095519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.223{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64135- 354300x800000000000000095518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.083{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49637-false172.67.70.134-443https 354300x800000000000000095517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.073{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50622- 354300x800000000000000095516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:23.069{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54165- 11241100x800000000000000095515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1EDA06C37D404EED6ACA48E71FDD2EB2EC10619C2023-01-17 10:35:25.187 11241100x800000000000000095514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.167{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D980CA98C20594574E94B28C6A4016225C170AB2023-01-17 10:35:25.167 11241100x800000000000000095513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.130{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000095512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.129{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0AE32221B37CAEB77D0B4C53C50F1B,SHA256=9D8DD9A26893C3BC951BFF2D26D5B3E253A9145C35D7499B3A888C9ED7117E79,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000095511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.087{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000095510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.087{F172AD64-79EC-63C6-9702-00000000B002}72847288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.087{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000095508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.087{F172AD64-79EC-63C6-9702-00000000B002}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x800000000000000095507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.055{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1843558B7DFC8AA2684A728239210F3CB74625CE2023-01-17 10:35:25.055 11241100x800000000000000095506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.055{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\087D408E7DDB8B779B7D21025FFFD610D650FF4A2023-01-17 10:35:25.055 11241100x800000000000000095505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F1024191799870B12785EC8CF95ED4019EE3FD362023-01-17 10:35:25.041 11241100x800000000000000095504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\478EDDC072254DEF3915745DB3892736748800822023-01-17 10:35:25.041 11241100x800000000000000095503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.040{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000095502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.040{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D00B0F23175930E19CD3F0B66D09B1,SHA256=ADB9EF6FBD754053084C31FECB376DF4CF8A4445644774DE0C84360A27C6EA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000095501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.036{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=0C3BF9BD32CE530DEAC5FD115751707E,SHA256=202911B85AD4E02CD5AFA1A708B77A328BB5B7DAAE1EB0F01682727CB295357C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.021{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 11241100x800000000000000095499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.017{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\71D465A57D0D68E0FFE2326839D79CCBBAAFE43F2023-01-17 10:35:25.017 11241100x800000000000000095498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.013{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E4C2BCED7D47A18868B7A73E24C2BD22AED3ED3A2023-01-17 10:35:25.013 23542300x800000000000000095497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.013{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=D9F6DFC04A6D6E4DFF6FD0A9C982D677,SHA256=9929FF75A09D16C547067FB4814E4866EF54ABEAFC5AF3EC6C4A6E9301EA8851,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000095496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.000{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 11241100x800000000000000096084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.999{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.998{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BCA286A30203DBACCB8FE0B1A1C183,SHA256=C4085869A03D708B4284D475AFD17F09C9D0754678FF11C5ADE081AB2BCC1FE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.971{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\dcbb7d23aedfbd602023-01-17 10:35:26.971 354300x800000000000000096081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.062{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49695-false142.250.191.162ord38s30-in-f2.1e100.net443https 354300x800000000000000096080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.061{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49694-false172.217.4.33lga15s46-in-f1.1e100.net443https 354300x800000000000000096079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.044{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63947- 354300x800000000000000096078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.044{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52003- 354300x800000000000000096077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.044{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55796- 354300x800000000000000096076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.041{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62187- 354300x800000000000000096075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.039{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49544- 354300x800000000000000096074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.020{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55189- 11241100x800000000000000096073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.930{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FCECF1074BEAA7AE16C4883A34462F641FB70A022023-01-17 10:35:26.930 11241100x800000000000000096072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.929{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\029924E0F767623C9E4F6B08DEDDC56822D726A52023-01-17 10:35:26.929 11241100x800000000000000096071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.926{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\13AB1E9661C26045C2A659F016C5127EE7BEE4A42023-01-17 10:35:26.925 10341000x800000000000000096070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.921{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000096069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.917{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6F36B9CDEECC939DAA0F469475B712665B48326B2023-01-17 10:35:26.917 11241100x800000000000000096068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.916{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E440FC48F5EBEE52D029C071A1E4C67B4CA516FB2023-01-17 10:35:26.916 11241100x800000000000000096067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.909{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3091BEBAC81BAA57F8E8A19DE09064A4F8328AA52023-01-17 10:35:26.909 734700x800000000000000096066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.822{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000096065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.821{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000096064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.817{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.816{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.812{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000096061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.812{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000096060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.811{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000096059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.810{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000096058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.809{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 10341000x800000000000000096057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.808{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.807{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.806{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000096054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.805{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.805{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.804{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000096051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.803{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000096050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.803{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000096049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.801{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000096048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.801{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000096047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.800{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000096046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.800{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000096045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.800{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000096044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.800{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000096043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.799{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000096042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.795{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000096041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.794{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:26.794{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-16C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:26.794{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-16C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.794{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.793{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000096036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.792{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000096035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.792{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000096034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.792{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000096033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.792{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000096032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.789{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000096031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.788{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 11241100x800000000000000096030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.788{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F57BDE1172D1E8173618C78F9FBFFD885CAFE212023-01-17 10:35:26.788 734700x800000000000000096029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.788{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000096028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.788{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000096027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.787{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000096026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:26.783{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-15C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:26.782{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-15C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.781{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000096023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.780{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000096022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.780{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000096021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.778{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.777{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000096019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.776{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000096018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:26.775{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.2659657165503658100C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:26.775{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.2659657165503658100C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.775{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000096015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.774{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:26.773{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.20.44106949C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.769{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:26.769{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.766{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.765{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000096009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.764{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000096008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.763{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000096007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.763{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000096006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.762{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 18141800x800000000000000096005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:26.762{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.1931630134475590604C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:26.762{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.1931630134475590604C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.762{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000096002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.762{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000096001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.762{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000096000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.761{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x800000000000000095999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.761{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000095998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:26.761{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.19.9771967C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.761{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000095996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.760{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000095995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.760{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000095994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.759{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000095993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.759{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000095992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.757{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000095991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.756{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000095990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.756{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.756{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000095988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.755{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.755{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 18141800x800000000000000095986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:26.755{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.755{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000095984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.754{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000095983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.753{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000095982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.751{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.751{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.751{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.750{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000095978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.749{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000095977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.749{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000095976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.749{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000095975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.748{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000095974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.748{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000095973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.747{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000095972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.747{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000095971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.747{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000095970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.747{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000095969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.746{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000095968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.746{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000095967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.746{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000095966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.745{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000095965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.745{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000095964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.745{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000095963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.744{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000095962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.744{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000095961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.744{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000095960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.743{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000095959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.743{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000095958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.742{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000095957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.742{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000095956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.741{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000095955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.741{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.741{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000095953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.740{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000095952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.740{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.740{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000095950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.740{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.739{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000095948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.739{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.739{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000095946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.739{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000095945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.737{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000095944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.736{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.735{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.735{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.735{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000095940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.735{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.735{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.734{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.734{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000095936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.734{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.734{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000095934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.733{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000095933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.733{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.20.441069491\1655616716" -childID 17 -isForBrowser -prefsHandle 7308 -prefMapHandle 7304 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ab639a6-0e23-40d6-8cce-21f646f1b33a} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7316 179412cb858 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000095932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.733{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x800000000000000095931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.732{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.732{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000095929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.732{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x800000000000000095928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.732{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.731{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.731{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.731{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.731{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000095923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.731{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.731{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.730{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.730{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.730{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.730{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.730{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.729{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.729{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000095914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.729{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.729{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.729{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.728{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x800000000000000095908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.728{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x800000000000000095906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.728{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.727{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000095902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.727{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.727{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000095900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.726{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.725{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.725{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000095896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.724{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 17141700x800000000000000095895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:26.723{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.20.44106949C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000095894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.723{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000095893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.723{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000095892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.722{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000095891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.722{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.721{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000095889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.721{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000095888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.717{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E657C3E2DE6C212DA8758F8ED37083E74591DFA12023-01-17 10:35:26.717 10341000x800000000000000095887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.716{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.716{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.716{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.716{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.716{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000095882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.715{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000095881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.715{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.19.97719671\1665701136" -childID 16 -isForBrowser -prefsHandle 7468 -prefMapHandle 7472 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85680a72-4347-472f-be92-0a1864d3c6ad} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7460 179412cb558 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000095880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.714{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.714{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.714{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.714{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.713{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.713{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.713{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.713{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.713{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.713{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.712{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.712{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.712{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.712{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.712{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.711{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.711{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.711{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.711{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.711{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.711{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.710{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.710{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.710{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.710{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.710{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000095854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.826{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local50675-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x800000000000000095853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.759{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49693-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x800000000000000095852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50674- 354300x800000000000000095851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.741{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64964- 354300x800000000000000095850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.723{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50599- 354300x800000000000000095849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.693{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local53681-false35.190.60.146146.60.190.35.bc.googleusercontent.com443https 354300x800000000000000095848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.596{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49692-false104.18.20.226-80http 354300x800000000000000095847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.594{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49691-false172.64.155.188-80http 354300x800000000000000095846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.586{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53679- 354300x800000000000000095845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.586{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62092- 354300x800000000000000095844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.582{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61704- 17141700x800000000000000095843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:26.707{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.19.9771967C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000095842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.685{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ADCE697331C4C56A080BDCCDCC7AE3D01A4AE71E2023-01-17 10:35:26.685 11241100x800000000000000095841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.669{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5E95FEFA5AF24B4668C0BC81A4FD3D32A8E700592023-01-17 10:35:26.669 734700x800000000000000095840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.600{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msdmo.dll10.0.14393.0 (rs1_release.160715-1616)DMO RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdmo.dllMD5=3246C9C5ECF6555103C7119161ACC8C8,SHA256=3A29292F04B09A91C305062E00756194A83BDEA3ABB1BFB783D908E6D1BEBFBC,IMPHASH=B5AB2AA782AD334C5633AAE30A2CFF41trueMicrosoft WindowsValid 734700x800000000000000095839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.600{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msacm32.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ACM Audio FilterMicrosoft® Windows® Operating SystemMicrosoft Corporationmsfltr32.acmMD5=CCA98E5C82E2636956A08C28DEAA739B,SHA256=6ECD122306AFF30FD1F8BB325C981A6177FA41CD8F4D7CA809E9B1ED6FF52F77,IMPHASH=02CCE03885FF4C014AF552A1F9D7F605trueMicrosoft WindowsValid 734700x800000000000000095838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.596{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Speech\Common\sapi.dll5.3.25307.00 (rs1_release.210107-1130)Speech APIMicrosoft® Windows® Operating SystemMicrosoft Corporationsapi.dllMD5=34432230D52A0BC141A809839D59102F,SHA256=A9645FE7B2860258846225636CDFBBB5D554260AD8A7598CFB0E62256566F1DC,IMPHASH=C38AE271B8F2290A059AC00D85D8CEA6trueMicrosoft WindowsValid 734700x800000000000000095837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.580{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.5127Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=949437310EC0EB86F6B5985189C513C8,SHA256=A3751817F2212BFA84BC21D22B06DDEC1B64DD54C532F5902AED9BDD934C99DA,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x800000000000000095836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.556{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000095835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000095834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.556{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000095833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.556{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000095832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.556{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000095831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.552{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000095830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.552{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000095829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.552{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000095828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.546{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000095827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.546{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000095826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.546{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000095825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.546{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000095824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000095823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000095822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000095821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000095820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000095819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000095818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000095817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000095816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000095815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000095814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000095813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000095812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000095811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000095810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000095809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000095808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000095807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000095806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000095805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000095804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000095803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000095802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.542{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000095800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.541{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.540{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 10341000x800000000000000095798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.540{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.540{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000095796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.540{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.540{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000095794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.540{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000095793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.539{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000095792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.539{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000095791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.539{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000095790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.538{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000095789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.538{F172AD64-79EE-63C6-9902-00000000B002}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000095788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E35CBC68CEE9DDCEC31FFDD0BBCCB372946EE5282023-01-17 10:35:26.518 22542200x800000000000000095787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.328{F172AD64-7935-63C6-6402-00000000B002}2296pagead-googlehosted.l.google.com02607:f8b0:4009:809::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.615{F172AD64-7935-63C6-6402-00000000B002}2296pagead-googlehosted.l.google.com02607:f8b0:4009:818::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.613{F172AD64-7935-63C6-6402-00000000B002}2296pagead-googlehosted.l.google.com0142.250.191.161;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.463{F172AD64-7935-63C6-6402-00000000B002}2296cdn.globalsigncdn.com.cdn.cloudflare.net02606:4700::6812:14e2;2606:4700::6812:15e2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000095783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.458{F172AD64-7935-63C6-6402-00000000B002}2296cdn.globalsigncdn.com.cdn.cloudflare.net0104.18.21.226;104.18.20.226;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000095782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.479{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\528E0776E4CC3F09CE5B657F7CF3360F818D79C82023-01-17 10:35:26.479 11241100x800000000000000095781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.479{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F3DD0C9522DC5321846ECB427A0821AD7E32A0582023-01-17 10:35:26.479 11241100x800000000000000095780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.479{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BED36CFC3E4AAAA91A55EA48D5E4B74BA2CA14CC2023-01-17 10:35:26.479 11241100x800000000000000095779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.479{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\60E17857950CC05EC310237B852D54A7EA2F99C32023-01-17 10:35:26.479 11241100x800000000000000095778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.472{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AB50A5A99BC1E62FF19C0EE23BA2E7765A3F48C42023-01-17 10:35:26.472 11241100x800000000000000095777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.460{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F997FABFC3BCF53BA88CA7196332C199E4F6B9572023-01-17 10:35:26.460 354300x800000000000000095776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49690-false142.250.190.98ord37s35-in-f2.1e100.net443https 354300x800000000000000095775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.532{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49686-false35.190.60.146146.60.190.35.bc.googleusercontent.com443https 354300x800000000000000095774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.532{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49688-false52.204.114.10ec2-52-204-114-10.compute-1.amazonaws.com443https 354300x800000000000000095773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.532{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49689-false52.55.144.0ec2-52-55-144-0.compute-1.amazonaws.com443https 354300x800000000000000095772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.531{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49685-false34.233.34.86ec2-34-233-34-86.compute-1.amazonaws.com443https 354300x800000000000000095771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.521{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49687-false15.197.193.217a12b7a488abeaa9e4.awsglobalaccelerator.com443https 354300x800000000000000095770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.508{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local50844- 354300x800000000000000095769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.506{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local50893- 354300x800000000000000095768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.483{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53972- 354300x800000000000000095767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.483{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62878- 354300x800000000000000095766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.482{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49974- 354300x800000000000000095765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.482{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50116- 354300x800000000000000095764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.482{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50844- 354300x800000000000000095763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.480{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50893- 354300x800000000000000095762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.434{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50443- 354300x800000000000000095761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.434{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62643- 354300x800000000000000095760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.434{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51637- 354300x800000000000000095759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.432{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49907- 354300x800000000000000095758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.432{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51651- 354300x800000000000000095757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.432{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50838- 354300x800000000000000095756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.432{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54663- 354300x800000000000000095755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.432{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51089- 354300x800000000000000095754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.431{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65239- 354300x800000000000000095753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.430{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61271- 354300x800000000000000095752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.430{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55888- 354300x800000000000000095751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.429{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52271- 354300x800000000000000095750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.415{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49684-false13.107.42.14-443https 11241100x800000000000000095749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.448{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\35CFFA593A370A90D446EC9B5E8EF79C2A2595682023-01-17 10:35:26.448 11241100x800000000000000095748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.437{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D8AD719D8EF3E355E63107167681D41FE4158332023-01-17 10:35:26.437 11241100x800000000000000095747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.409{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B65ACC469CF94D680F9A8DE9EFA0864260883BB2023-01-17 10:35:26.409 11241100x800000000000000095746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.409{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B4DDB6BF1B056128F59B0AC8CAD39FD6BD7828FC2023-01-17 10:35:26.409 11241100x800000000000000095745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.409{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C32A0586F7801D2FE866DC15149128B2D047F7E52023-01-17 10:35:26.409 11241100x800000000000000095744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.409{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5E0F7D7BC2D435ACED35E0D3ED68C5BA927539862023-01-17 10:35:26.409 11241100x800000000000000095743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.369{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C9C1D24166368679D2518B9888DB50A308DBB372023-01-17 10:35:26.369 11241100x800000000000000095742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.369{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\905BE64C8E1800274820845F8423D07CD8AC6FDE2023-01-17 10:35:26.369 11241100x800000000000000095741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.321{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7E3471B9ED5697824C038CFC810F6EDC767518122023-01-17 10:35:26.320 11241100x800000000000000095740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.296{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\85E8E0F3591E09D9C3C84D5E5473CDDBD68BC3CA2023-01-17 10:35:26.296 10341000x800000000000000095739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.289{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000095738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.288{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000095737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.288{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000095736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.287{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000095735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.287{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000095734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.287{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000095733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.285{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000095732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.285{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000095731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.285{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000095730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\32B61152AEAA47227D00E7DB4222CF5CACA92ABE2023-01-17 10:35:26.268 11241100x800000000000000095729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.209{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F2AE4E976BDC9B84770ABC1706983B5A179C43C2023-01-17 10:35:26.209 354300x800000000000000095728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.285{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61746-false130.211.23.194194.23.211.130.bc.googleusercontent.com443https 354300x800000000000000095727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.230{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49683-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000095726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.203{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49682-false142.250.190.34ord37s33-in-f2.1e100.net443https 354300x800000000000000095725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49681-false130.211.23.194194.23.211.130.bc.googleusercontent.com443https 354300x800000000000000095724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49680-false130.211.23.194194.23.211.130.bc.googleusercontent.com443https 354300x800000000000000095723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.175{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61745-false34.111.234.236236.234.111.34.bc.googleusercontent.com443https 354300x800000000000000095722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.165{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61742-false172.217.2.38atl14s78-in-f6.1e100.net443https 354300x800000000000000095721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.139{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55597- 354300x800000000000000095720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.119{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49678-false108.156.172.28server-108-156-172-28.cmh68.r.cloudfront.net443https 354300x800000000000000095719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.118{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53033- 354300x800000000000000095718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.118{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51279- 354300x800000000000000095717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.117{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52612- 354300x800000000000000095716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.116{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65453- 354300x800000000000000095715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.102{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49677-false108.156.170.59server-108-156-170-59.cmh68.r.cloudfront.net80http 354300x800000000000000095714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:24.077{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64359- 11241100x800000000000000095713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E8C5B96B26526B9D1C426A1852BB0F4F45E369772023-01-17 10:35:26.179 10341000x800000000000000095712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.171{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9 11241100x800000000000000095711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.167{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7BB2C9999DCF1D785D29303C6FE98E985E2700712023-01-17 10:35:26.167 11241100x800000000000000095710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.163{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EC7BE79C44DE54E321A7E926E3BF1D5DAC55532D2023-01-17 10:35:26.163 11241100x800000000000000095709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.159{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6941184D1FBA4C3D12980D8D580BBAFEAFE409182023-01-17 10:35:26.159 11241100x800000000000000095708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.147{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9FB3F7AFD43E4F27D2383A47E15D5FD049D854202023-01-17 10:35:26.147 11241100x800000000000000095707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.095{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0562F50265C35757D2F0015433D2F897B2C8E0B42023-01-17 10:35:26.095 11241100x800000000000000095706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.055{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E1895B33D5F91F34072ECC4DEA16128B135F8072023-01-17 10:35:26.055 11241100x800000000000000095705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E8F601306FA670B54ADFCD37AE5B01E9E205E3DE2023-01-17 10:35:26.041 11241100x800000000000000095704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.035{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D7060FAB8CB66EB6976C98E2719E3763CCBAF6142023-01-17 10:35:26.035 354300x800000000000000069889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:26.043{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50374-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:27.117{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D771A28910F0C9D3292EF8CB99C459AF,SHA256=53E4995A576A645E34619D0CF00AA2FD25E48981D0E93F16A5FF4D49BA417C27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.958{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.958{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF88FE8DFF26C0A9FD84BCE2439B49E,SHA256=932C693877EFA9960A27E9AFB42C7E0E840C5AE37A608CBAA0AB9D431836378D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.942{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4DE3D7BD18AAE9F7E485B132F8C248E2F0B86A1D2023-01-17 10:35:27.942 10341000x800000000000000096257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.818{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.818{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.818{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.817{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.817{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.817{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000096251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.571{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\57835E898B28006BA31EE8D96AC2E9666565FBF52023-01-17 10:35:27.558 11241100x800000000000000096250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\13F4D63DD5289DA519C7A88B8851DA2E03966DF42023-01-17 10:35:27.518 22542200x800000000000000096249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.749{F172AD64-7935-63C6-6402-00000000B002}2296cdn-content.ampproject.org02607:f8b0:4009:819::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.747{F172AD64-7935-63C6-6402-00000000B002}2296cdn-content.ampproject.org0172.217.0.161;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.746{F172AD64-7935-63C6-6402-00000000B002}2296cdn.ampproject.org0type: 5 cdn-content.ampproject.org;::ffff:172.217.0.161;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000096246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.584{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local51684-false172.217.2.34ord37s52-in-f2.1e100.net443https 354300x800000000000000096245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.539{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local51683-false142.250.190.102ord37s35-in-f6.1e100.net443https 354300x800000000000000096244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.512{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local61436- 354300x800000000000000096243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.490{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49703-false172.217.2.34ord37s52-in-f2.1e100.net443https 354300x800000000000000096242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.487{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51682- 354300x800000000000000096241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.487{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64749- 354300x800000000000000096240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.486{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63243- 354300x800000000000000096239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.486{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61117- 354300x800000000000000096238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.485{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52456- 354300x800000000000000096237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.485{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61116- 354300x800000000000000096236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.485{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61436- 354300x800000000000000096235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.485{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62054- 354300x800000000000000096234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.484{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49702-false142.250.190.102ord37s35-in-f6.1e100.net443https 354300x800000000000000096233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.473{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52911- 354300x800000000000000096232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.469{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54572- 354300x800000000000000096231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.454{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49728- 354300x800000000000000096230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.397{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53596- 354300x800000000000000096229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.397{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61466- 354300x800000000000000096228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.394{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50980- 11241100x800000000000000096227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.389{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5251D41A39FD690C2A21CD5B81A70904CA83ECDE2023-01-17 10:35:27.389 11241100x800000000000000096226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.334{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.333{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D91F201071363B3B2D5C25D21D55152,SHA256=F221DBC5EBB007E75C001326A494988B008FF2A7B9A9FF88E915345FC5B6E158,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.311{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5364B471C1AEED14FE9402C42A47A3F7F10CD7C52023-01-17 10:35:27.311 10341000x800000000000000096223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.305{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 734700x800000000000000096222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.258{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000096221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.258{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000096220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.258{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.258{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.258{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000096217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000096216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000096215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000096214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000096211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000096210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000096209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000096208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000096207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 11241100x800000000000000096206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\82B024DAC88426CC15E6B698343176E7310AAC4F2023-01-17 10:35:27.242 734700x800000000000000096205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.242{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000096204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:27.242{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-17C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:27.242{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-17C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.241{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000096201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.240{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000096200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.240{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 11241100x800000000000000096199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.236{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\05C77C531C13480971FE8A195018D59315F385A82023-01-17 10:35:27.236 10341000x800000000000000096198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.223{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.222{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000096196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.221{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000096195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.220{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 18141800x800000000000000096194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:27.220{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.12744068160451731550C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:27.220{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.12744068160451731550C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.219{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:27.219{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.21.150267900C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.215{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:27.215{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000096188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.217{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49700-false142.250.190.34ord37s33-in-f2.1e100.net443https 354300x800000000000000096187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.207{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49696-false172.217.5.2lga15s49-in-f2.1e100.net443https 354300x800000000000000096186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.187{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61305- 354300x800000000000000096185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.187{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55405- 354300x800000000000000096184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.170{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50129- 354300x800000000000000096183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.154{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61113-false172.217.4.33lga15s46-in-f1.1e100.net443https 354300x800000000000000096182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.151{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61110-false142.250.191.162ord38s30-in-f2.1e100.net443https 734700x800000000000000096181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.210{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000096180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.209{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000096179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.208{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000096178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.208{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000096177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.208{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000096176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.207{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000096175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.207{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000096174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.206{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000096173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.206{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000096172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.205{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000096171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.205{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000096170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.204{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000096169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.203{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000096168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.202{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000096167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.202{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000096166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.202{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000096165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.201{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000096164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.201{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000096163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.199{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000096162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.198{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000096161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.198{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000096160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.197{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.197{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000096158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.193{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000096157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.193{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 11241100x800000000000000096156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.193{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5F7C5BAD797CD29011DA2E9AFF41794C865AB8FA2023-01-17 10:35:27.193 734700x800000000000000096155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.193{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000096154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.192{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000096153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.192{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000096152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.191{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000096151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.191{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000096150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.190{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000096149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.190{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000096148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.189{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000096147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.188{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000096146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.188{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000096145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.188{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.187{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000096143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.187{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.182{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.182{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.182{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.182{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.182{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000096137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.181{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000096136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.182{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.21.1502679000\591374250" -childID 18 -isForBrowser -prefsHandle 7104 -prefMapHandle 7100 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a426358c-0896-4993-a573-be465b537b54} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7116 179417c2e58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000096135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.180{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.180{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.180{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.179{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.179{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.179{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.179{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.179{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.178{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.178{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.178{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.178{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.178{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.178{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.178{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.177{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.177{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.177{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.177{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.177{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.177{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.177{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.176{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.176{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.176{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.176{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000096109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:27.174{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.21.150267900C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000096108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.144{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FD5AC8FD787BDA033A18329CC3BACD3E367552462023-01-17 10:35:27.144 11241100x800000000000000096107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.142{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2C6DE2808DAF6C137EA1E2D3F4C9041B637209E22023-01-17 10:35:27.142 10341000x800000000000000096106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.132{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 10341000x800000000000000096105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.123{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.123{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.123{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.123{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.123{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.123{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.105{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.104{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.104{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.104{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.104{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.104{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000096093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.071{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A393ED9C2938899D39972EFBE8AA8B77AB45CD772023-01-17 10:35:27.071 11241100x800000000000000096092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.071{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CC5F50F22341221B81FF147B54CD2DBDDC28D1D22023-01-17 10:35:27.071 11241100x800000000000000096091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.058{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\653CC25B5D63B9E7AFF9AAE79161120054A1966C2023-01-17 10:35:27.058 11241100x800000000000000096090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.058{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\776D7CBE207E4AE68D25F316B94B9861FCC652CA2023-01-17 10:35:27.058 11241100x800000000000000096089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B7A5A9469B9751DE6065D0BFCC7E82F05E8A7DF52023-01-17 10:35:27.041 11241100x800000000000000096088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.024{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\22539CAE01C1B5AAE89EB1D8409D97A0321FC0422023-01-17 10:35:27.024 11241100x800000000000000096087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.008{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\782209314FCC036CD8AD04FD9E472566D3622BEE2023-01-17 10:35:27.008 11241100x800000000000000096086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.008{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.008{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260F9B0E49B9E47CD54FA974A18E3280,SHA256=63B0A6EAAC5AA92BF76947B63628D50D7A3A6E2F0C104B37AF267855EBBB64CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:28.327{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6834AA45EBC0EC868836E7F472C7787,SHA256=ADED174325C64C00E190605B76EA9AC9D4F1FAB1BBF2E28C40145178337FEAF5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.739{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D0724CB6430FD043942CE53F720F662384DDC8F2023-01-17 10:35:28.739 10341000x800000000000000096443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.738{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.738{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.738{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.737{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.737{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.737{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000096437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.708{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B5BF572B64CF6F62DF344DC6EF0A54E76CCBBF92023-01-17 10:35:28.708 11241100x800000000000000096436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.679{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\18F935CB4878D1ED4733E117D486E287195320B02023-01-17 10:35:28.679 11241100x800000000000000096435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.640{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D1A374B4E9A24A666CC09E021C08E6BF8668D7612023-01-17 10:35:28.640 11241100x800000000000000096434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.617{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F0DB622B19301578F1C602386133FF21593F56282023-01-17 10:35:28.617 11241100x800000000000000096433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.617{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B1EA3A99504D945CDC1B0B1F9B05826E3114B8502023-01-17 10:35:28.617 23542300x800000000000000096432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.570{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=3EE0B0EADA7D6786615936D341CE8695,SHA256=814E08318E3D120B3B7E6DF3F4CC6DE1ACA39C316DDA1916958EAE36527284AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.557{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5C89CC4673110E6AC9B3439DDC275E0AC3B0A7F72023-01-17 10:35:28.557 11241100x800000000000000096430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.557{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:19.728 10341000x800000000000000096429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.557{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9 11241100x800000000000000096428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.517{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.517{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3315F772B27D721451867CDD83547034,SHA256=0DBF4D17A3137F27E8ABA83CAB48C5EC901ED9E0208EDD394000BE3A5506A4BA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000096426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.489{F172AD64-7935-63C6-6402-00000000B002}2296prod.ups-ats.us-east-1.aolp-ds-prd.aws.oath.cloud054.175.87.114;52.45.33.138;3.218.90.66;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.489{F172AD64-7935-63C6-6402-00000000B002}2296e6603.g.akamaiedge.net096.17.56.209;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.203{F172AD64-7935-63C6-6402-00000000B002}2296www.google.com02607:f8b0:4009:803::2004;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000096423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.508{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54662- 354300x800000000000000096422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.508{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50897- 354300x800000000000000096421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.347{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49718-false142.250.190.68ord37s34-in-f4.1e100.net443https 11241100x800000000000000096420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\66CF87EF89ABD6D1EF002AEAF97DF3A9E72368F12023-01-17 10:35:28.486 11241100x800000000000000096419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\143E2A4B30628431931664FBF94DFD9E4D5383662023-01-17 10:35:28.486 11241100x800000000000000096418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\97BD1C7F6F47D894A58E5F34278E6FECDCB8FF7C2023-01-17 10:35:28.486 11241100x800000000000000096417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B662789DFDD9C1308FF8ECD48E05F393053163C2023-01-17 10:35:28.486 11241100x800000000000000096416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3A0B5DB873FF6FB94853CA97448BFCF17B6038B12023-01-17 10:35:28.486 11241100x800000000000000096415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\64B43E6C2F5312270077E804BD5CE02B644950882023-01-17 10:35:28.486 11241100x800000000000000096414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\517CA0332064F4344FC1DB0F08D243076B48341E2023-01-17 10:35:28.486 11241100x800000000000000096413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0802EEA194471BDF9C6D9B034D42A27600E6D12C2023-01-17 10:35:28.486 11241100x800000000000000096412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4E1C0EE150D2A52D173A6E738A727B61CE661B432023-01-17 10:35:28.486 11241100x800000000000000096411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7EC0191FF9D0D3846CC1ED6E5B1442230BC1E6BC2023-01-17 10:35:28.486 11241100x800000000000000096410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E2DD3ADE7F2C686A0779A13083DF9B8D4C687A82023-01-17 10:35:28.486 11241100x800000000000000096409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.486{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CA87B2B3EFAE6A472A96016E690DDDF441836D222023-01-17 10:35:28.486 10341000x800000000000000096408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.318{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.318{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.318{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x800000000000000096405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.328{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64341- 734700x800000000000000096404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.204{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000096403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.204{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000096402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.204{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.204{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.204{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000096399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.204{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000096398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.204{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000096397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000096396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000096393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000096392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000096391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000096390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000096389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000096388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.191{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000096387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:28.191{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-18C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:28.191{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-18C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.175{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000096384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.175{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000096383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.175{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000096382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.175{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.175{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000096380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.175{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000096379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:28.174{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10792962398736255360C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:28.174{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10792962398736255360C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.174{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000096376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.174{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:28.173{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.22.167602369C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.170{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:28.169{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.165{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000096371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.165{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000096370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.164{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000096369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.164{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000096368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.164{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000096367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.163{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000096366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.163{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000096365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.163{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000096364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.162{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000096363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.162{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 10341000x800000000000000096362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.162{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 734700x800000000000000096361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.162{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000096360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.161{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000096359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.160{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000096358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.160{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000096357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.159{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000096356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.159{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000096355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.159{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000096354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.158{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 10341000x800000000000000096353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.158{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 734700x800000000000000096352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.157{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000096351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.156{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000096350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.156{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000096349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.156{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.155{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000096347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.154{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x800000000000000096346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.154{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 734700x800000000000000096345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.154{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000096344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.152{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000096343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.152{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 734700x800000000000000096342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.152{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000096341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.151{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x800000000000000096340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.151{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 734700x800000000000000096339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.151{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000096338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.150{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000096337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.150{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000096336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.149{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000096335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.148{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000096334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.148{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000096333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.147{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000096332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.147{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.146{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000096330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.146{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.145{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.142{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.142{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.141{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.141{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.141{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.141{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000096322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.141{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000096321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.140{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.22.1676023691\1075973466" -childID 19 -isForBrowser -prefsHandle 8976 -prefMapHandle 8656 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d3ec187-5265-45f4-946d-7735d9817cda} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 6984 179418adb58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000096320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.140{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.139{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.139{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.139{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.139{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.139{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.139{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.139{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.138{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.138{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.138{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.138{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.138{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.138{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.137{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.137{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.137{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.137{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.137{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.137{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.136{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.136{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.136{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.136{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.136{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.135{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.135{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.135{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.133{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 17141700x800000000000000096291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:28.133{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.22.167602369C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.123{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.119{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.113{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.105{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.098{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.075{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.067{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.061{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.053{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.046{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.017{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.015{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 354300x800000000000000096278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.069{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49716-false172.217.1.99yyz08s09-in-f99.1e100.net443https 354300x800000000000000096277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.067{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49717-false172.217.1.99yyz08s09-in-f99.1e100.net443https 354300x800000000000000096276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.063{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49715-false172.217.1.99yyz08s09-in-f99.1e100.net443https 354300x800000000000000096275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.028{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local62327-false142.250.190.106ord37s35-in-f10.1e100.net443https 354300x800000000000000096274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:26.008{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local62326-false172.217.0.161ord38s42-in-f1.1e100.net443https 354300x800000000000000096273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.986{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49714-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000096272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.984{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49713-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000096271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.983{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49712-false142.250.191.195ord38s31-in-f3.1e100.net80http 354300x800000000000000096270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49711-false142.250.190.106ord37s35-in-f10.1e100.net443https 354300x800000000000000096269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.894{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49708-false172.217.0.161ord38s42-in-f1.1e100.net443https 354300x800000000000000096268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.893{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49709-false172.217.0.161ord38s42-in-f1.1e100.net443https 354300x800000000000000096267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.893{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49707-false172.217.0.161ord38s42-in-f1.1e100.net443https 354300x800000000000000096266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.893{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49705-false172.217.0.161ord38s42-in-f1.1e100.net443https 354300x800000000000000096265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.892{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49706-false172.217.0.161ord38s42-in-f1.1e100.net443https 354300x800000000000000096264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.878{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62325- 354300x800000000000000096263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.878{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64638- 354300x800000000000000096262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.875{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49580- 354300x800000000000000096261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:25.874{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49167- 23542300x800000000000000069891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:29.420{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165FE328F302A0946366C2675986CE58,SHA256=6548956B30E5E60A4A4F95BBE4FCA7FFB0B99027444F3CFA7823C76308F39770,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.901{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\EBhs0bEs.exe.part2023-01-17 10:35:29.901 11241100x800000000000000096607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.901{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\processhacker-2.39-setup.exe2023-01-17 10:35:29.901 23542300x800000000000000096606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.901{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\EBhs0bEs.exe.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.901{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\EBhs0bEs.exe.part2023-01-17 10:35:29.901 11241100x800000000000000096604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.901{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\EBhs0bEs.exe2023-01-17 10:35:29.901 11241100x800000000000000096603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.857{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.857{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE07968843375836B6CEEF046EBFE02A,SHA256=B2A5FFD5728FE2071867E13E490E8AE7B2DB140304CA51ADFB3BB36AB7036C94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.768{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local56062- 354300x800000000000000096600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.765{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53853- 354300x800000000000000096599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.763{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49726-false34.197.238.244ec2-34-197-238-244.compute-1.amazonaws.com443https 354300x800000000000000096598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.752{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62937- 354300x800000000000000096597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.751{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50297- 354300x800000000000000096596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.714{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49725-false8.28.7.81-443https 354300x800000000000000096595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.699{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64641- 354300x800000000000000096594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.698{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49231- 354300x800000000000000096593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.696{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52269- 10341000x800000000000000096592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000096586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.642{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000096585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.642{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000096584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.642{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.642{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.639{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000096581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.637{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000096580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.636{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000096579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.633{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000096578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000096575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000096574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000096573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000096572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000096571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000096570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000096569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:29.617{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-19C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:29.617{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-19C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000096566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000096565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.617{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000096564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.602{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.602{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000096562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.602{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000096561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.602{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 18141800x800000000000000096560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:29.602{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.16228465975482333801C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000096559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:29.602{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.16228465975482333801C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.602{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:29.602{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.23.25354733C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000096555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:29.586{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000096554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000096553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000096552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000096551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000096550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000096549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000096548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000096547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000096546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000096545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000096544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000096543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000096542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000096541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000096540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000096539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.586{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000096538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000096537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000096536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000096535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000096534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000096533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000096531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000096530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000096529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000096528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000096527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000096526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000096525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000096524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000096523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000096522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000096521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000096520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000096519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000096517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.570{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000096511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000096510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.565{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.23.253547336\1834566123" -childID 20 -isForBrowser -prefsHandle 6632 -prefMapHandle 6932 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c0a3baa-d610-4fd7-9cea-7671d09c7265} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7100 17941164d58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000096509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.557{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000096483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:29.557{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.23.25354733C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000096482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.639{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49723-false67.202.105.24ip24.67-202-105.static.steadfastdns.net443https 354300x800000000000000096481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49722-false3.218.90.66ec2-3-218-90-66.compute-1.amazonaws.com443https 354300x800000000000000096480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49721-false3.218.90.66ec2-3-218-90-66.compute-1.amazonaws.com443https 354300x800000000000000096479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.629{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49724-false23.202.233.189a23-202-233-189.deploy.static.akamaitechnologies.com443https 354300x800000000000000096478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.626{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49719-false96.17.56.209a96-17-56-209.deploy.static.akamaitechnologies.com443https 354300x800000000000000096477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.619{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54424- 354300x800000000000000096476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.618{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55714- 354300x800000000000000096475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.618{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62994- 354300x800000000000000096474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.617{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54734- 354300x800000000000000096473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.617{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63880- 354300x800000000000000096472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.616{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54303- 354300x800000000000000096471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.616{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62100- 354300x800000000000000096470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.616{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65289- 354300x800000000000000096469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.613{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53060- 22542200x800000000000000096468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.642{F172AD64-7935-63C6-6402-00000000B002}2296spug-vac.pubmnet.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.640{F172AD64-7935-63C6-6402-00000000B002}2296spug-vac.pubmnet.com08.28.7.84;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.572{F172AD64-7935-63C6-6402-00000000B002}2296pugm-vac.pubmnet.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.571{F172AD64-7935-63C6-6402-00000000B002}2296pugm-vac.pubmnet.com08.28.7.81;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.505{F172AD64-7935-63C6-6402-00000000B002}2296pixel.33across.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.492{F172AD64-7935-63C6-6402-00000000B002}2296e6791.b.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.491{F172AD64-7935-63C6-6402-00000000B002}2296e6791.b.akamaiedge.net023.202.233.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.490{F172AD64-7935-63C6-6402-00000000B002}2296pixel.33across.com067.202.105.24;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.490{F172AD64-7935-63C6-6402-00000000B002}2296prod.ups-ats.us-east-1.aolp-ds-prd.aws.oath.cloud9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.490{F172AD64-7935-63C6-6402-00000000B002}2296e6603.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.490{F172AD64-7935-63C6-6402-00000000B002}2296ssc-cms.33across.com0type: 5 pixel.33across.com;::ffff:67.202.105.24;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.321{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.321{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.321{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.320{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.320{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.319{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.318{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.318{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.318{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000096448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.102{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.102{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AC0418245D727B2AE33BC4765EB444,SHA256=BDEC2E6956144D29088C06E5DA1C00CAD58EBCB99731E2E826DABD019DC0831E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.102{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.102{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CF386946518A166DA5AF013D84312A,SHA256=5B04931C0666E0C5C5615048BFE725EBC0458964C96826DC66A2EB044F5B36FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:30.727{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E78A99DE993C97929D56ADAD640064,SHA256=04E9BCD77374452B0D1EF4B686F03ED9A5FE37BF004674531F7C8B200B839739,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.922{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50385- 354300x800000000000000096652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.771{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50742- 11241100x800000000000000096651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.630{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000096650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.630{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=818D52BE8578B1FFFDCFB59C3AAFD57D,SHA256=E1C4C8BC10EAF6C86D88BBD28A4DD7EAF0366F61583752432EE092628018F07C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.608{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.607{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 354300x800000000000000096647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49729-false204.68.111.105-443https 354300x800000000000000096646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.643{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64753- 354300x800000000000000096645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.629{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55224- 354300x800000000000000096644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.576{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local55758- 354300x800000000000000096643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.541{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55758- 354300x800000000000000096642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.540{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52993- 354300x800000000000000096641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.540{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52460- 354300x800000000000000096640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.540{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63478- 354300x800000000000000096639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.540{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55610- 354300x800000000000000096638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.779{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49728-false8.28.7.84-443https 354300x800000000000000096637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:27.778{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49727-false34.197.238.244ec2-34-197-238-244.compute-1.amazonaws.com443https 11241100x800000000000000096636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.477{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.477{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF7FDE31552DD612E3E4D9678BCA440,SHA256=096A48F3752CDF5FD5E13067B850E213B25F4561055A0CBFF98461472D726072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.240{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.236{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.230{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.217{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 15241500x800000000000000096630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.141{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\processhacker-2.39-setup.exe:Zone.Identifier2023-01-17 10:35:29.901MD5=67C4164F3F8A7B9369E29435F6B2A175,SHA256=32CE7C732E1A82FD6F2070B1030AE5BB22A79B4BBD01E56B4C97324AB7F428F9,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://sourceforge.net/ HostUrl=https://netactuate.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe 11241100x800000000000000096629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.141{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\processhacker-2.39-setup.exe:Zone.Identifier2023-01-17 10:35:29.901 15241500x800000000000000096628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.117{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\processhacker-2.39-setup.exe2023-01-17 10:35:29.901MD5=54DAAD58CCE5003BEE58B28A4F465F49,SHA256=28042DD4A92A0033B8F1D419B9E989C5B8E32D1D2D881F5C8251D58CE35B9063,IMPHASH=00000000000000000000000000000000- 23542300x800000000000000096627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.070{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journalMD5=4FD433D016937B83C942C227A79A5792,SHA256=97873C98B26715A6B5C5CB63DC90F917ADFFCB4C2671F194E33B40121ED42AD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.057{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\usage2023-01-17 10:35:30.057 11241100x800000000000000096625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.057{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\usage-journal2023-01-17 10:35:30.057 11241100x800000000000000096624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.057{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journal2023-01-17 10:35:30.037 23542300x800000000000000096623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.057{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journalMD5=8D4DD1EBE0B23F3970762EA737B30F26,SHA256=420436D58F7774482B5CB496B0DF002267D32A5B94731D0B5415631B4EA17910,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000096622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0,IMPHASH=1277B5BCF0437BEA5158FFB1086840B6trueMicrosoft WindowsValid 11241100x800000000000000096621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journal2023-01-17 10:35:30.037 23542300x800000000000000096620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.041{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journalMD5=90E24780BF143371AA56F8454FAA4199,SHA256=FFAD03A9D06A7FEFD314D236A1B0196833A1C33F5612B76103250F6A0DD7E385,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000096619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gpapi.dll10.0.14393.4467 (rs1_release.210604-1844)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=96BBBC9AD606CF5EBAF525E3AB1C69A5,SHA256=32F0EA9185A6E1DE26E3276BAAB0FB5ED72940D34FE5FFDF5331D91E42794124,IMPHASH=54A7A105E11720BE50C587CF0CFA8828trueMicrosoft WindowsValid 11241100x800000000000000096618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journal2023-01-17 10:35:30.037 23542300x800000000000000096617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.041{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journalMD5=7D2F0DE6945F0BD4BD4FFBF603FB746E,SHA256=0672362A205851C3853F1A8C45A0A42AC19C97B0B2C43DABE5CCD051A5CA2FFA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.037{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journal2023-01-17 10:35:30.037 11241100x800000000000000096615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite2023-01-17 10:35:30.036 11241100x800000000000000096614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls2023-01-17 10:35:30.036 11241100x800000000000000096613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.032{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\.metadata-v2-tmp2023-01-17 10:35:30.032 11241100x800000000000000096612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.032{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net2023-01-17 10:35:30.032 23542300x800000000000000096611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.004{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-053MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.003{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0532023-01-17 10:35:30.003 11241100x800000000000000096609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.001{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0542023-01-17 10:35:30.001 23542300x800000000000000069893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:31.818{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC995CF7815B9B9C24520C73BCA2D6A,SHA256=C9D89FB9DC7BFCB66807E284AD9EFC23E8F6F2DA37BCA1293E760F0F20DD99FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.818{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000096711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.206{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49731-false142.250.190.138ord37s36-in-f10.1e100.net443https 354300x800000000000000096710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:28.939{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49730-false104.225.3.6666.3.225.104.ptr.anycast.net443https 10341000x800000000000000096709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.602{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.602{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.602{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 22542200x800000000000000096706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.807{F172AD64-7935-63C6-6402-00000000B002}2296netactuate.dl.sourceforge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.794{F172AD64-7935-63C6-6402-00000000B002}2296netactuate.dl.sourceforge.net0104.225.3.66;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.793{F172AD64-7935-63C6-6402-00000000B002}2296netactuate.dl.sourceforge.net0::ffff:104.225.3.66;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.643{F172AD64-7935-63C6-6402-00000000B002}2296a1887.dscq.akamai.net02600:141f:4000:9::17ca:5a04;2600:141f:4000:9::17ca:5a0e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.529{F172AD64-7935-63C6-6402-00000000B002}2296downloads.sourceforge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.515{F172AD64-7935-63C6-6402-00000000B002}2296downloads.sourceforge.net0204.68.111.105;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000096700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.514{F172AD64-7935-63C6-6402-00000000B002}2296downloads.sourceforge.net0::ffff:204.68.111.105;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000096699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.341{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.338{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.334{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.329{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.324{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.321{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.319{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.316{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.307{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.304{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.301{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.299{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.290{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 11241100x800000000000000096686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.288{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.288{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816C0F3C07D875480E752876B60D62F8,SHA256=EBBC4BDA92B849471FD7966662A14588134BE9F6BB797FF4F0B1A4E45EDBFA95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.287{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.284{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.281{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.272{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.270{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.244{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.237{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.236{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.234{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.232{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.231{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.231{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.229{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.212{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.199{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.196{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 11241100x800000000000000096668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.173{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x800000000000000096667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.173{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.169{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.159{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.141{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.136{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.134{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.132{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.129{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.127{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.123{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.122{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.120{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 10341000x800000000000000096655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.119{F172AD64-7640-63C6-CB01-00000000B002}61966312C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131003D0) 23542300x800000000000000096654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:31.018{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:32.903{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01DB6E861FF0F8D3750A22EB8A1690F,SHA256=C91BCAAD49E05C602ACB2A0D4F61F35581C5CD3ED2F2BBBA807996CDC7759DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.277{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49733-false10.0.1.12-8089- 354300x800000000000000096716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.539{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53198- 354300x800000000000000096715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:29.305{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49732-false10.0.1.12-8000- 11241100x800000000000000096714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:32.321{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:32.321{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86427AF9DC823938746155FDC388C0EB,SHA256=ACB960E18F496BA131788B5DC5D1C4BCC9786E249C2D5EA30EF56C3FEF56A31F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.867{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000096736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.833{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3781B4A3713292956206932165FA4132_29912A7EA9EDB60BB42BD5D9643E27BB2023-01-17 10:35:33.833 11241100x800000000000000096735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.833{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_29912A7EA9EDB60BB42BD5D9643E27BB2023-01-17 10:35:33.832 11241100x800000000000000096734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.789{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E2023-01-17 10:35:33.789 11241100x800000000000000096733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.789{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E2023-01-17 10:35:33.789 734700x800000000000000096732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.744{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6,IMPHASH=72061958A1119B16F6B4694A68C7F8CBtrueMicrosoft WindowsValid 734700x800000000000000096731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.744{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x800000000000000096730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.744{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x800000000000000096729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.744{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0,IMPHASH=1277B5BCF0437BEA5158FFB1086840B6trueMicrosoft WindowsValid 354300x800000000000000096728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.704{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local55896- 354300x800000000000000096727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:30.676{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55896- 11241100x800000000000000096726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\45690837AF9C7649103DACD850551F69776BB76A2023-01-17 10:35:33.505 11241100x800000000000000096725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7773BEB02797923498AF486EDD878A6AFAEB217A2023-01-17 10:35:33.505 11241100x800000000000000096724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EE95587EE6DF854FB55101A6B14908B379A2DB1F2023-01-17 10:35:33.505 11241100x800000000000000096723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D7B8D5A7C1435BE694E15131B25C56B82C0F21972023-01-17 10:35:33.505 11241100x800000000000000096722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\138F90927D606A3FFFB7B3417F3A0F6208676D5A2023-01-17 10:35:33.505 11241100x800000000000000096721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CAD234E6F80653BFAA6106865ED86C1A281846E82023-01-17 10:35:33.505 11241100x800000000000000096720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3B8861821BF6BFB2ED807D4F7CE0CFA92BD6CE442023-01-17 10:35:33.505 11241100x800000000000000096719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.473{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:33.473{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7448A532E7A23EA648C4E355C4AA3E,SHA256=C49E7FE8C160B8F6D56689EE9BF4101D00136B3E217763607F134EEEC0699653,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.420{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 354300x800000000000000069932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:31.246{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50375-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000069931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.410{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.379{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.365{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.327{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.320{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.285{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.275{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.251{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.240{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.237{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.222{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.214{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.183{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.175{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.167{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.157{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.149{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.144{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.135{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.125{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.116{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.106{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000069895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:33.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 23542300x800000000000000069934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:34.059{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFAB10AA4A3BE0EF9B97E1DD72BE71A,SHA256=3CECA1B2A932E5D58030D0055C5B0819EAE89E017455A2AEB1E41F72490B77F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:34.589{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:34.589{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C810A412ECAE2A08A119CB6E5A70D1,SHA256=8A74D040B18F1C8077F033A3FC8602A3A7FC7A98720EFA1537E1ADC72476CCA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:34.320{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:35:34.320 23542300x800000000000000069935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:35.386{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82C36D31E79F800120590088844C250,SHA256=87C7356E9BE79B69F9AC6EC3107A5A41508183A361B9B95740573DDD095D26E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.963{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.963{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.962{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.939{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.939{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.939{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.876{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.875{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.875{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000096888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.852{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\msls31.dll3.10.349.0Microsoft Line Services library fileMicrosoft® Line ServicesMicrosoft CorporationMSLS31.DLLMD5=B2911DEDDF06CA1AB66C810EB98AA503,SHA256=B8FAC47D96B3577104AA20C84E532024E4B8D7A7B222E715E7FBC368151E34D3,IMPHASH=B42CEEFC5A11B8C6A930DBC4E521CD36trueMicrosoft WindowsValid 734700x800000000000000096887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.849{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=BABC9A4B603F1B79B3184EF2E902EFBD,SHA256=119158E0116F78286FFA4AEE4924B53E98821AA48687132C26DE22D75ECBF200,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.845{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\riched20.dll5.31.23.1231Rich Text Edit Control, v3.1Microsoft RichEdit Control, version 3.1Microsoft Corporationriched20.dllMD5=8B3765D5135A105F4AD1B2582717B493,SHA256=6F0F9BF748660D218D21183A0B25D93BF5B659EF88B4F47E009480B3A244661F,IMPHASH=FCBAB28EC999FA973B07E9512CD573B5trueMicrosoft WindowsValid 10341000x800000000000000096885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.844{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.844{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.844{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000096882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.811{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6,IMPHASH=3048904B0486EA955A770016BECD49D3trueMicrosoft WindowsValid 734700x800000000000000096881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.795{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 354300x800000000000000096880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:32.905{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49734-false72.21.91.29-80http 11241100x800000000000000096879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.766{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.766{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD969D9B820F78CB926C61FBD7157AB3,SHA256=8D0ED1D122CF6ECBA562959B7867DA308ABC0B3A69991850A415AE7E69873A1A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000096877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.739{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CA,IMPHASH=E36ED0B691E982CA503FA97C60EB70DCtrueMicrosoft WindowsValid 734700x800000000000000096876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.735{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=FE8A86849C7AAECEDE4C6D05DD01A15D,SHA256=7DB33FC022480980960D51D003E2602F428F867DB41DB36A2E38A194535019E9,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 734700x800000000000000096875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.733{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919,IMPHASH=D881C1D9FE5992A8813DE38FDD7EC834trueMicrosoft WindowsValid 734700x800000000000000096874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.727{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F82283126CB07933AD9401BA5C4CF98B,SHA256=C0BCAC4ACC311C74AAF4A1A9E897538F7019C9B0A9BE47DF7545325965E80B4B,IMPHASH=7C08628E262D81B0D56F727169E3DC77trueMicrosoft WindowsValid 734700x800000000000000096873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.719{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\shfolder.dll10.0.14393.0 (rs1_release.160715-1616)Shell Folder ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationshfolder.dllMD5=83D8A4E04F99C5FD749D34CC4B970A0E,SHA256=0924F96973B3CE4F15BB7947E6C593B3EA1015E459BF70C3A247A31632EF2ACA,IMPHASH=A262E121DDB8823B3F2D530403B9D7E9trueMicrosoft WindowsValid 734700x800000000000000096872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.672{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=DB22BF6E188F54E592C1BBFBD4F79497,SHA256=F8F3EA23D8E761B346D27BFDF2140CC2B841ABC5CAD29875DD8A134D6C5FB4F4,IMPHASH=FA01E25592A750EEA64436094650B52CtrueMicrosoft WindowsValid 11241100x800000000000000096871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.704{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-2E3UC.tmp\_isetup\_shfoldr.dll2023-01-17 10:35:35.704 11241100x800000000000000096870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.704{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-2E3UC.tmp\_isetup\_setup64.tmp2023-01-17 10:35:35.704 11241100x800000000000000096869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.704{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-2E3UC.tmp\_isetup2023-01-17 10:35:35.704 11241100x800000000000000096868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.704{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-2E3UC.tmp2023-01-17 10:35:35.704 734700x800000000000000096867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.672{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=E059A215201387BD9D1B3C36340BAED5,SHA256=147EFB7344CEA39C09B18E2A232C58B32E5C0FDD521E58867FCA930EE8D1BC4C,IMPHASH=8A5E322D33D4D3960E0D1023A48F0874trueMicrosoft WindowsValid 10341000x800000000000000096866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.704{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.704{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.704{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 10341000x800000000000000096862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B901-00000000B002}49001464C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B901-00000000B002}49001464C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B901-00000000B002}49001464C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B901-00000000B002}49001464C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.606{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp51.52.0.0Setup/Uninstall---MD5=1C96ED29E0136825E06F037BF10B2419,SHA256=B10CF8CDF541CA0DD6DF79E66FB4B0854DCAC717ABA034BA0C4961BFF92FD021,IMPHASH=00000000000000000000000000000000false-Unavailable 10341000x800000000000000096854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x800000000000000096850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.688{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 10341000x800000000000000096849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.672{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.672{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.672{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x800000000000000096846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.672{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x800000000000000096845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.606{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0D,IMPHASH=1B7EF7A158566FE5E056CF936C1F0BA9trueMicrosoft WindowsValid 734700x800000000000000096844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x800000000000000096843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x800000000000000096842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x800000000000000096841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=827CF4DF011EA7BAF277BBA7E74F262E,SHA256=9C9BBF48DC43E2C405C04BE00DF600989093BBCD6CC7FD66CE8BEA97EC7D8499,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x800000000000000096840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x800000000000000096839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=D9C3B5FF35145713151626BE316EA7DA,SHA256=0921F4B23EDDE0B4C4A219120217B5E62C784DE1A2EF2C48C8999C956CDF2CB0,IMPHASH=9D339EEAB735596FA7DC404B5B56A994trueMicrosoft WindowsValid 734700x800000000000000096838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x800000000000000096837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=0487622561B6FA4067E8D603307A0457,SHA256=77585E9AD4130F504F881261356DC44BF3B88213CC9B03587FE1E46005D09A52,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 734700x800000000000000096836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.573{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x800000000000000096835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.560{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x800000000000000096834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9B,IMPHASH=02A49231FBD4D14396A5A54F65097366trueMicrosoft WindowsValid 734700x800000000000000096833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x800000000000000096832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFD,IMPHASH=3546967BD7A83D49718BE45FB48403B5trueMicrosoft WindowsValid 734700x800000000000000096831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x800000000000000096830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C830A662D2219E9BFB13ED2894026915,SHA256=CB8048F560CC4FF567D2A8C2657004E70902855CCA50B4705A8053587E1ED007,IMPHASH=533BC84A1EC4841BF15F5E4FF63A29F1trueMicrosoft WindowsValid 734700x800000000000000096829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.659{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x800000000000000096828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x800000000000000096827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x800000000000000096826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=B422D6D349B239AA5DA5B66297A085B3,SHA256=3708B080455F4563B863211A4D602AE11CEBDEB94C8846EE580503C4F4A4DFE7,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x800000000000000096825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=3A48E40A8DC9780D16B55FA7F425C8BD,SHA256=1DC9E31DEE8E5FCB1ECDFCB14A79BC65EE46DED598D13CA9AFF03184DACE47CD,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x800000000000000096824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D8766A87C8B5B093B0469B493FF5F7E4,SHA256=8FB659C0D76E996E729FA2FD108F70988A44AA2FBF032D4C0D135E24009FCA80,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x800000000000000096823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x800000000000000096822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x800000000000000096821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x800000000000000096820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=6B8855A193E555FC990272CA897F17C8,SHA256=71DAF5DFD014D22AA8F9A57C67AEBA00A7F7D6751986726CB2F8D228FDD988B4,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x800000000000000096819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x800000000000000096818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=9D8F7BD41657B515DD46C7BF90A26CDB,SHA256=F73F1D7C426282357007294D5108EB4509EB96C1DF82B86BD2E657D93E7204B5,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x800000000000000096817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x800000000000000096816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=21F54383C7D18A94F38FECE94DD70857,SHA256=A640FB5178939AC7D6120624B37FF0D40805BF5136DA47C71227A88347663E02,IMPHASH=C3A947E86E0B67FAA3B0B56CC5C7BCA6trueMicrosoft WindowsValid 734700x800000000000000096815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=72EB4674143DA842FD0A5345292D582C,SHA256=67E414DE97C1E0F8B6E5EC4D4CDAD442CF86C45882FCE6DE6904A0BF352D71F8,IMPHASH=6798162B267BC20DD6DD5089B259E15BtrueMicrosoft WindowsValid 734700x800000000000000096814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x800000000000000096813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.644{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000096812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.504{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x800000000000000096811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.504{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x800000000000000096810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.640{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000096809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.640{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=72EB4674143DA842FD0A5345292D582C,SHA256=67E414DE97C1E0F8B6E5EC4D4CDAD442CF86C45882FCE6DE6904A0BF352D71F8,IMPHASH=6798162B267BC20DD6DD5089B259E15BtrueMicrosoft WindowsValid 734700x800000000000000096808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.640{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 11241100x800000000000000096807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.637{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.637{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F82CFB8FCEEEEAFA88A8E7663B7C6EE,SHA256=D16F85D0C5F14522E07AEC21F81F74BD00E3ACA79E4CCAC934E3D9D93EA34E0C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000096805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.488{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x800000000000000096804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.488{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=827CF4DF011EA7BAF277BBA7E74F262E,SHA256=9C9BBF48DC43E2C405C04BE00DF600989093BBCD6CC7FD66CE8BEA97EC7D8499,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x800000000000000096803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.621{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x800000000000000096802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.621{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x800000000000000096801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.621{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=008C343519B7638AEF1FBFD9DF26BC22,SHA256=9C5B8ED8542367D1DC5625AD5544C68ABB63C80887F2F448506581B32AA34CE5,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.621{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.488{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x800000000000000096798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.488{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=D9C3B5FF35145713151626BE316EA7DA,SHA256=0921F4B23EDDE0B4C4A219120217B5E62C784DE1A2EF2C48C8999C956CDF2CB0,IMPHASH=9D339EEAB735596FA7DC404B5B56A994trueMicrosoft WindowsValid 10341000x800000000000000096797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.588{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000096796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.588{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.588{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.588{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.588{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.588{F172AD64-79F7-63C6-9F02-00000000B002}74407388C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157e7b(wow64)|C:\Windows\System32\KERNELBASE.dll+157b2c(wow64)|C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe+9a61|C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe+aba1|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000096791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.588{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp51.52.0.0Setup/Uninstall---"C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp" /SL5="$207DA,1874675,150016,C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=1C96ED29E0136825E06F037BF10B2419,SHA256=B10CF8CDF541CA0DD6DF79E66FB4B0854DCAC717ABA034BA0C4961BFF92FD021,IMPHASH=00000000000000000000000000000000{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe"C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe" 10341000x800000000000000096790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.573{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000096789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.444{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x800000000000000096788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.444{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=0487622561B6FA4067E8D603307A0457,SHA256=77585E9AD4130F504F881261356DC44BF3B88213CC9B03587FE1E46005D09A52,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 734700x800000000000000096787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.573{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 10341000x800000000000000096786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.560{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.560{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000096784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.504{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp2023-01-17 10:35:35.504 11241100x800000000000000096783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.504{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp2023-01-17 10:35:35.504 734700x800000000000000096782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.260{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x800000000000000096781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.260{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFD,IMPHASH=3546967BD7A83D49718BE45FB48403B5trueMicrosoft WindowsValid 734700x800000000000000096780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.244{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x800000000000000096779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.241{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C830A662D2219E9BFB13ED2894026915,SHA256=CB8048F560CC4FF567D2A8C2657004E70902855CCA50B4705A8053587E1ED007,IMPHASH=533BC84A1EC4841BF15F5E4FF63A29F1trueMicrosoft WindowsValid 734700x800000000000000096778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.236{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x800000000000000096777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.220{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x800000000000000096776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.220{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x800000000000000096775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.220{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=B422D6D349B239AA5DA5B66297A085B3,SHA256=3708B080455F4563B863211A4D602AE11CEBDEB94C8846EE580503C4F4A4DFE7,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x800000000000000096774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.220{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=3A48E40A8DC9780D16B55FA7F425C8BD,SHA256=1DC9E31DEE8E5FCB1ECDFCB14A79BC65EE46DED598D13CA9AFF03184DACE47CD,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x800000000000000096773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.205{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=D8766A87C8B5B093B0469B493FF5F7E4,SHA256=8FB659C0D76E996E729FA2FD108F70988A44AA2FBF032D4C0D135E24009FCA80,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x800000000000000096772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.173{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x800000000000000096771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.160{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x800000000000000096770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.160{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x800000000000000096769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.160{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=6B8855A193E555FC990272CA897F17C8,SHA256=71DAF5DFD014D22AA8F9A57C67AEBA00A7F7D6751986726CB2F8D228FDD988B4,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x800000000000000096768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.144{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x800000000000000096767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.144{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=9D8F7BD41657B515DD46C7BF90A26CDB,SHA256=F73F1D7C426282357007294D5108EB4509EB96C1DF82B86BD2E657D93E7204B5,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x800000000000000096766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.144{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x800000000000000096765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.123{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=21F54383C7D18A94F38FECE94DD70857,SHA256=A640FB5178939AC7D6120624B37FF0D40805BF5136DA47C71227A88347663E02,IMPHASH=C3A947E86E0B67FAA3B0B56CC5C7BCA6trueMicrosoft WindowsValid 734700x800000000000000096764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.104{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x800000000000000096763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.104{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=72EB4674143DA842FD0A5345292D582C,SHA256=67E414DE97C1E0F8B6E5EC4D4CDAD442CF86C45882FCE6DE6904A0BF352D71F8,IMPHASH=6798162B267BC20DD6DD5089B259E15BtrueMicrosoft WindowsValid 734700x800000000000000096762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.104{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=72EB4674143DA842FD0A5345292D582C,SHA256=67E414DE97C1E0F8B6E5EC4D4CDAD442CF86C45882FCE6DE6904A0BF352D71F8,IMPHASH=6798162B267BC20DD6DD5089B259E15BtrueMicrosoft WindowsValid 734700x800000000000000096761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.104{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x800000000000000096760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.089{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x800000000000000096759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.089{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=008C343519B7638AEF1FBFD9DF26BC22,SHA256=9C5B8ED8542367D1DC5625AD5544C68ABB63C80887F2F448506581B32AA34CE5,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000096758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Users\Administrator\Downloads\processhacker-2.39-setup.exe2.39 (r124) Process Hacker Setup Process Hacker wj32 -MD5=54DAAD58CCE5003BEE58B28A4F465F49,SHA256=28042DD4A92A0033B8F1D419B9E989C5B8E32D1D2D881F5C8251D58CE35B9063,IMPHASH=00000000000000000000000000000000trueWen Jia LiuValid 11241100x800000000000000096757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.123{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3781B4A3713292956206932165FA4132_29912A7EA9EDB60BB42BD5D9643E27BB2023-01-17 10:35:35.123 11241100x800000000000000096756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.123{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_29912A7EA9EDB60BB42BD5D9643E27BB2023-01-17 10:35:35.123 734700x800000000000000096755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.104{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000096754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.104{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000096753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.104{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000096752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000096751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000096750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDBSetValue2023-01-17 10:35:35.073{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\processhacker-2.39-setup.exeBinary Data 10341000x800000000000000096749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-6CE8-63C6-1300-00000000B002}6807928C:\Windows\System32\svchost.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-6CE8-63C6-1300-00000000B002}6807928C:\Windows\System32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000096742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.073{F172AD64-7634-63C6-B901-00000000B002}49007276C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000096741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:35.056{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe2.39 (r124) Process Hacker Setup Process Hacker wj32 -"C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=54DAAD58CCE5003BEE58B28A4F465F49,SHA256=28042DD4A92A0033B8F1D419B9E989C5B8E32D1D2D881F5C8251D58CE35B9063,IMPHASH=00000000000000000000000000000000{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 23542300x800000000000000069936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:36.475{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3900F4DA53AB7B2E8A0D1D63D9DD8F,SHA256=1403E4E146847DEE9C0477D48DD935D15BF43639203ED1A6F8769B7B7D98415E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:34.231{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49735-false72.21.91.29-80http 11241100x800000000000000096903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:36.788{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:36.788{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E175DED707D23A09A3AE6F040FE9C76D,SHA256=83DB136B246AD3AAB1D3B2ED7AFC8E37E2483919333A1A6C9D59F5A39B005F89,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:36.121{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000096900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:36.121{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3B6EA1E662B55CE34D0307E0356667,SHA256=05A42A44CAB2BA7261A3AE4238E2CB2E8805D52D5E7F0BB3AA919F811AC6797C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:36.014{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000096898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:36.014{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=12FD3C7F3AE1B4E9F57B2D6CEDD0A1AD,SHA256=F5102D9B801611FDD3689C0720A7EA05291EB4B2107F9CA0B9089354754BE649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:37.574{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CBB2C148C6B2D3092BC0A67470913E,SHA256=FD171EDD0C783437BFD963E50B9642E024D5CC7B11A88A517C7CD12E6040633B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:37.894{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:37.893{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81598DFBBED71D3477A91B5D2BB9E44E,SHA256=D08535148668D519A8DB94458E0A0CF753DCF7A0C4C9D541AA21DF4F52C8612C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:34.385{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49736-false10.0.1.12-8000- 10341000x800000000000000096910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:37.061{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:37.061{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:37.061{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:37.060{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:37.060{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000096905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:37.060{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x800000000000000069939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:37.134{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50376-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:38.650{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71270AB75491DC82B71D496C34147688,SHA256=96B129CA583DAEE3144D46AF314F08D583D1C754652405EBE09FE35F3C12D3F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:38.919{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:38.919{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B7C953FA1D6420D5095974B817AB63,SHA256=E5B8312BB2368E96289ACB309597620C99D086F42A766F4949C4B504EEC87916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:39.729{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFE7B082F224CAC1C3E573C11B4C463,SHA256=6BCD4503B1C4B76F10C3F716821CDBF2431F1AC1A2526FE88E168FA0B3D586A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:40.822{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B83DED49C332F06E4FFC2402ED8514,SHA256=A6B4CF55418BA70BDE65DE9341796B3E1D4663C1AD2924EA4587DD74EBD85BC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:40.092{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2D6A01D60B62E609224BD77F152B2CF5B740646D2023-01-17 10:35:40.092 11241100x800000000000000096917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:40.036{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:40.036{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318B11488BECACD6E34588BF1D8EF49E,SHA256=A19579B7C0912D4FBAF3F39C59F4820AACAFF55B5F4F82EAC901CF5C74065B87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.164{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.164{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.164{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.164{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.161{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.161{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.161{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.161{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.154{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000096921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.154{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000096920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.137{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:41.137{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEF0C279342A7F63D1F55C3599B18D9,SHA256=69EDFB527B1A0BFDD115E72D173ED63B91BD53DB87481879682623C43F5FA862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:42.033{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D4642CB3511300EABB16B146398F18,SHA256=0053C022C5EC0333453244FB8D3EE33A2EF70BA0D36A7FC60FB626590EE427E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:42.560{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000096933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:42.560{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DCD3F649362D390F056EE25645457F25,SHA256=F2A1ED4B5303110E3B5183CBC9AFC2590BB23BB2D5FB2AC258049F3E15B2C5B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:42.240{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:42.240{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A679A98D469DD3E3AF522293679286,SHA256=8A0E1A8598A7C213929DF4B6A78026787D53E4B2D99F0A1018924E372E562338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:43.979{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=777F6F9F877AB3591D3D905C444CC86D,SHA256=E40CD71C134D185FDA06FADEA65FC2F8DE55CC351FBBFE7C4D08CF8079825E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:43.121{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C52882473796FF0ABEBAD2AA47A96B7,SHA256=E497EE714FB44222DB24286FD7B94B01ADEB87197D8A2ED4E3C12848BD465CCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:43.300{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:43.300{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BD47E372C7B481D20ED71E26C80E04,SHA256=A521B46DD7031645FAB52CBB3C95691A2FC1EF6598A1211A47CD79F71D56C900,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000096935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:40.256{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49737-false10.0.1.12-8000- 23542300x800000000000000069946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:44.230{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3374AC385DB7F00F1598625751808012,SHA256=3B9A3352FEBB3F86A0669700B119D1544CC34D2CC53F1DFD910B24763F35B6B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000096957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.986{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9B02-00000000B002}7612C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.986{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EE-63C6-9A02-00000000B002}7604C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.986{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9602-00000000B002}1864C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.986{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E9-63C6-9102-00000000B002}6336C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.986{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9402-00000000B002}6004C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.986{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79E6-63C6-8E02-00000000B002}4180C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000096951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.937{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0B105BD22078C5F6A8D7C7DE5CFDFB15D46BEEE22023-01-17 10:35:44.937 11241100x800000000000000096950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.937{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\99EAC7D9DFFEEF946C377763CABA11877668492B2023-01-17 10:35:44.935 11241100x800000000000000096949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8D611263B6D44532AE6BA8DDC2F258B4696B7B142023-01-17 10:35:44.918 11241100x800000000000000096948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\719319907BBB34D1D864EEDA33B48AABF7FE8ADB2023-01-17 10:35:44.918 23542300x800000000000000096947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.918{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite-journalMD5=77A579374452BBD41EACD864ABF8EE16,SHA256=C845E05D3D317609EAD0E6BE3DA787B475678DC6F5F890A2829C883561FF7FF1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AA0A20782907EC1AE907AE936D685C456D091BFF2023-01-17 10:35:44.918 11241100x800000000000000096945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6031AD0B4C732B61B971116F0D6E686BF09DAA1C2023-01-17 10:35:44.918 11241100x800000000000000096944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.902{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2405E88582B289FBDA4F7442EBC955ABA43DC282023-01-17 10:35:44.902 11241100x800000000000000096943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.902{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9DA6DC54F8B6E67525F6AD074F984B4F1D4EFC692023-01-17 10:35:44.902 11241100x800000000000000096942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.902{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite-journal2023-01-17 10:35:44.902 11241100x800000000000000096941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.887{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E3780262065EEBA8C550DF8D06E7083FB7A569D2023-01-17 10:35:44.887 11241100x800000000000000096940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.842{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\42E3E2AE85536A830ABCED28D07E8510FC8D876B2023-01-17 10:35:44.842 11241100x800000000000000096939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.335{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.335{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DF25155FD27FB5664D7F60512A7810,SHA256=6181934878DFA9701DAC052D7F72AE709527D536A6D2A2171079CBD6007538D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:42.225{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50377-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000069947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:45.313{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149114784B07F38ECA1FF0CFD4F89DD9,SHA256=59542797649B5462FAE2C981E6FD92CE09D120C0F933FA3DFC2FA1577018CBD8,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000097134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.955{F172AD64-7935-63C6-6402-00000000B002}2296ap.lijit.com0type: 5 vap.lijit.com;type: 5 nace.vap.lijit.com;69.175.41.32;69.175.41.2;69.175.41.44;69.175.41.79;69.175.41.15;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000097133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.932{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\92B746AED128B4A1E14DEBEB4071859A3695B22C2023-01-17 10:35:45.931 11241100x800000000000000097132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.909{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BFC239390D73CE952C21C783E9975EC316436E9B2023-01-17 10:35:25.557 11241100x800000000000000097131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.897{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\unins000.dat2023-01-17 10:35:45.087 23542300x800000000000000097130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.897{F172AD64-79F7-63C6-A002-00000000B002}4876ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\unins000.datMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000097129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:45.897{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Process_Hacker2_is1\URLUpdateInfohttp://processhacker.sourceforge.net/ 13241300x800000000000000097128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:35:45.893{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Process_Hacker2_is1\Publisherwj32 10341000x800000000000000097127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 10341000x800000000000000097115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.885{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 11241100x800000000000000097111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.881{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Users\Administrator\Desktop\Process Hacker 2.lnk2023-01-17 10:35:45.881 10341000x800000000000000097110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.881{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.881{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.881{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.881{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.881{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.881{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 10341000x800000000000000097098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 11241100x800000000000000097094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.877{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Uninstall Process Hacker 2.lnk2023-01-17 10:35:45.877 10341000x800000000000000097093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 11241100x800000000000000097085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Help and Support\Process Hacker 2 on the Web.url2023-01-17 10:35:45.873 10341000x800000000000000097084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.873{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 10341000x800000000000000097072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 11241100x800000000000000097068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Help and Support\Changelog.lnk2023-01-17 10:35:45.869 10341000x800000000000000097067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70226|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 10341000x800000000000000097066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70226|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 10341000x800000000000000097065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70226|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b 10341000x800000000000000097064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70226|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 10341000x800000000000000097062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 10341000x800000000000000097061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b 10341000x800000000000000097060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 11241100x800000000000000097059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.869{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Help and Support2023-01-17 10:35:45.869 10341000x800000000000000097058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 10341000x800000000000000097046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 11241100x800000000000000097042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.865{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Process Hacker 2.lnk2023-01-17 10:35:45.865 734700x800000000000000097041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.837{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1C,IMPHASH=10D1A0A9604BC5A246039AD496C55F0BtrueMicrosoft WindowsValid 10341000x800000000000000097040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.861{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.861{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.861{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.861{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7342b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.861{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.861{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 10341000x800000000000000097034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.857{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.857{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73406|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.857{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.857{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.857{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.853{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20de(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 10341000x800000000000000097028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.853{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.853{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 10341000x800000000000000097026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.853{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330 10341000x800000000000000097025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.853{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\windows.storage.dll+e20ce(wow64)|C:\Windows\System32\windows.storage.dll+e1f5b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+56a04|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73330|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890 734700x800000000000000097024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.829{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\ntshrui.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=AA1F155AC6878C92145EA656FC705D00,SHA256=11651DCED456A1E368AE2F0C128D8332DBD9B98EF9D0B175F0696B5E75294F7A,IMPHASH=3FAB7AFAD7D1D183222AC26ADA3CA3BEtrueMicrosoft WindowsValid 11241100x800000000000000097023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.840{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\PE Viewer.lnk2023-01-17 10:35:45.839 734700x800000000000000097022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.831{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=ABB61EA7CC462930FB56C2D004A5B06C,SHA256=7C1525EEFF5357013C68BDDAB2F255E40C8D82A43EF05F374B8DE7D8B5247711,IMPHASH=B1A124F5ECF68D9AFF86BEE7BFF328D4trueMicrosoft WindowsValid 734700x800000000000000097021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.803{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6,IMPHASH=71D541B9FE71736387DC5FC5B72CDD03trueMicrosoft WindowsValid 734700x800000000000000097020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.803{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17,IMPHASH=F65198FB793A8A98E01EC9C1E0924384trueMicrosoft WindowsValid 10341000x800000000000000097019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70226|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 11241100x800000000000000097018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\920EEA94D721EE6EF8A7CBE39A49CB81C131DEB82023-01-17 10:35:45.787 10341000x800000000000000097017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70226|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 10341000x800000000000000097016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70226|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b 10341000x800000000000000097015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70226|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+1939d9(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 10341000x800000000000000097013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shell32.dll+19395a(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 10341000x800000000000000097012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b 10341000x800000000000000097011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+193945(wow64)|C:\Windows\System32\shell32.dll+1934ec(wow64)|C:\Windows\System32\shell32.dll+229cd4(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\shell32.dll+130450(wow64)|C:\Windows\System32\shell32.dll+19361f(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30 10341000x800000000000000097009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+130442(wow64)|C:\Windows\System32\shell32.dll+19361f(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b 10341000x800000000000000097008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+130442(wow64)|C:\Windows\System32\shell32.dll+19361f(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+70201|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+732a4|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+73890|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+7673b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83c3b|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c479 11241100x800000000000000097007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 22023-01-17 10:35:45.787 11241100x800000000000000097006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.787{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-28SH5.tmp2023-01-17 10:35:45.787 11241100x800000000000000097005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.771{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-J61ML.tmp2023-01-17 10:35:45.771 11241100x800000000000000097004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.771{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-11U3J.tmp2023-01-17 10:35:45.771 11241100x800000000000000097003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.758{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-B5O9R.tmp2023-01-17 10:35:45.758 11241100x800000000000000097002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.743{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-JK1AH.tmp2023-01-17 10:35:45.743 11241100x800000000000000097001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.743{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-EM7D4.tmp2023-01-17 10:35:45.743 11241100x800000000000000097000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.738{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-N4UTG.tmp2023-01-17 10:35:45.737 11241100x800000000000000096999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.718{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-0H7OD.tmp2023-01-17 10:35:45.718 11241100x800000000000000096998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.718{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-BAA18.tmp2023-01-17 10:35:45.718 11241100x800000000000000096997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.703{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-5P8VS.tmp2023-01-17 10:35:45.703 11241100x800000000000000096996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.687{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-I6OPR.tmp2023-01-17 10:35:45.687 11241100x800000000000000096995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.687{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-NTCTS.tmp2023-01-17 10:35:45.687 11241100x800000000000000096994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.603{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\054F87DA8D9AC606C9109319CA3C17E3EFC3BAFF2023-01-17 10:35:45.603 11241100x800000000000000096993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.559{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\x86\plugins\is-Q43CH.tmp2023-01-17 10:35:45.559 11241100x800000000000000096992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.559{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\x86\plugins2023-01-17 10:35:45.559 11241100x800000000000000096991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.543{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins\is-KP7D4.tmp2023-01-17 10:35:45.543 11241100x800000000000000096990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.543{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\plugins2023-01-17 10:35:45.543 11241100x800000000000000096989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.540{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-HLTHS.tmp2023-01-17 10:35:45.540 11241100x800000000000000096988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.487{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000096987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.487{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA66C4C16ACCF7C78B956F9B8042619B,SHA256=4DFE084C81F5F6E8EA1CF3997DF4036C16A4CFE8DBF92792CFA765BAADBC2641,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.472{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-26MIG.tmp2023-01-17 10:35:45.472 11241100x800000000000000096985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.472{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\790CDDCDFD0A10E4F8A5437A9CEBDFD061BC872D2023-01-17 10:35:45.472 11241100x800000000000000096984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.405{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\x86\is-9MENL.tmp2023-01-17 10:35:45.404 11241100x800000000000000096983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.404{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\x862023-01-17 10:35:45.404 11241100x800000000000000096982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.403{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-1O7N5.tmp2023-01-17 10:35:45.403 11241100x800000000000000096981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.350{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2446935E20D783B5715AC89976369370B8B7AC692023-01-17 10:35:45.350 11241100x800000000000000096980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.345{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\48D3B4A6CF4517BF8D116FA61863474D985E26FA2023-01-17 10:35:45.345 11241100x800000000000000096979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.343{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1C2AF10FAE8AAD8942311A3F21892B35ACDBAAAE2023-01-17 10:35:45.343 734700x800000000000000096978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.219{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\devrtl.dll10.0.14393.0 (rs1_release.160715-1616)Device Management Run Time LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationDEVRTL.DLLMD5=1936D3D892367984EAC7B5E9419E422E,SHA256=740D1CE172CD37403BB6993ADAC01240626494BA1BECA5DA0D8041A622EA5D7C,IMPHASH=EBD005ECFAAB928236FE61F0119639B1trueMicrosoft WindowsValid 734700x800000000000000096977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.219{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=AA7C77E4D80A83624BACD72A0A22E374,SHA256=E6B8C76FA6163B808D6B797B1227622925E2E861B383FB132C6B3D6BA24D71E3,IMPHASH=69C9827FA8A57968D7E74F368AD4E790trueMicrosoft WindowsValid 11241100x800000000000000096976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.243{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-9RCIT.tmp2023-01-17 10:35:45.243 734700x800000000000000096975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.172{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=94C93F32B21EB2DA6AFF2C264B17E623,SHA256=4ABE629C6A2A44F35F205709FB004837871D6CD4F3C21F2F77432B2F98DAFC77,IMPHASH=427ABCACB68FF99E5D5660EACE2D94AFtrueMicrosoft WindowsValid 11241100x800000000000000096974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.243{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-HQSIG.tmp2023-01-17 10:35:45.243 11241100x800000000000000096973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.243{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-MLS1S.tmp2023-01-17 10:35:45.243 23542300x800000000000000096972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.243{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\4314MD5=7F1D8F6B6C19FFCEFAA1CB304032D971,SHA256=D3C057631FD75CC49CCEAB62256C7E440F07D06BB273633EAE01CD317EEA78F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000096971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.243{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-4H546.tmp2023-01-17 10:35:45.243 734700x800000000000000096970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.172{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=0F1E9D98CC524190E9B045908E6BC1F6,SHA256=252B3BA71F9452011FA60B6C7655DE65C93EE02754F6B7AF08CBBAAE844CDEEB,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 11241100x800000000000000096969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.240{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-3DSU3.tmp2023-01-17 10:35:45.240 10341000x800000000000000096968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.238{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9 734700x800000000000000096967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.159{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=9865FB6CC8FD8B5E47948AC6A122525C,SHA256=520701AFBF7D925B35D7FE13054BD4D77C6F286727916DB17488551759013E38,IMPHASH=4EAA47D0596BBC7CE895C12400AD162CtrueMicrosoft WindowsValid 11241100x800000000000000096966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.219{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\is-DG1U4.tmp2023-01-17 10:35:45.219 11241100x800000000000000096965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.087{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 2\unins000.dat2023-01-17 10:35:45.087 11241100x800000000000000096964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.087{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Program Files\Process Hacker 22023-01-17 10:35:45.087 10341000x800000000000000096963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.087{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.087{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.087{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+97c315|C:\Program Files\Mozilla Firefox\xul.dll+97b599|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+820087|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e 11241100x800000000000000096960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.087{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1A55EC070E1DE1A53CE12F6DEF19526F7D69CD7B2023-01-17 10:35:45.087 11241100x800000000000000096959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.087{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\34C35924EA824BA7D7253C2A97A81ABCE8E181A32023-01-17 10:35:45.087 10341000x800000000000000096958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.018{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EC-63C6-9502-00000000B002}3832C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000069948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:46.401{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67726EF48E91D3A1DE44F31C6832F072,SHA256=7F4FBBD068EC0B58E55893D0393DFD3842DB21AB1F5C3113CDCEB1619C0AFA1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000097711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.978{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.977{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.977{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.974{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000097707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.972{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x800000000000000097706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.951{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 22542200x800000000000000097705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.049{F172AD64-7935-63C6-6402-00000000B002}2296pagead-googlehosted.l.google.com02607:f8b0:4009:819::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000097704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.450{F172AD64-7935-63C6-6402-00000000B002}2296snap.licdn.com0type: 5 od.linkedin.edgesuite.net;type: 5 a1916.dscg2.akamai.net;23.33.22.134;23.33.22.145;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000097703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.257{F172AD64-7935-63C6-6402-00000000B002}2296a1944.d.akamai.net023.33.22.148;23.33.22.153;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000097702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.160{F172AD64-7935-63C6-6402-00000000B002}2296a1916.dscg2.akamai.net02600:140a:e000::173d:f6a3;2600:140a:e000::173d:f691;C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.964{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000097700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.963{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x800000000000000097699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.960{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.960{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.960{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.959{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.959{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.959{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000097693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.955{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000097692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.954{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000097691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.954{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000097690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.954{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000097689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.953{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000097688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.953{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000097687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.953{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000097686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.952{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000097685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.952{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000097684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.952{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000097683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.951{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000097682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.951{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000097681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.951{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000097680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\ProcessHacker.exe2.39.0.124Process HackerProcess Hackerwj32ProcessHacker.exeMD5=B365AF317AE730A67C936F21432B9C71,SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4,IMPHASH=3695333C60DEDECDCAFF1590409AA462trueWen Jia LiuValid 354300x800000000000000097679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.045{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55235- 354300x800000000000000097678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.891{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49750-false52.55.144.0ec2-52-55-144-0.compute-1.amazonaws.com443https 354300x800000000000000097677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.590{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49749-false23.33.22.134a23-33-22-134.deploy.static.akamaitechnologies.com443https 354300x800000000000000097676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.578{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50214- 734700x800000000000000097675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000097674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000097673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000097672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000097671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000097670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000097669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000097668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000097667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000097665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000097664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.937{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x800000000000000097663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000097662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000097661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0D,IMPHASH=1B7EF7A158566FE5E056CF936C1F0BA9trueMicrosoft WindowsValid 10341000x800000000000000097659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000097655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.933{F172AD64-79F7-63C6-A002-00000000B002}48765732C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157e7b(wow64)|C:\Windows\System32\KERNELBASE.dll+157b2c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+528b5|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+55222|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+786fb|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83322|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+83fad|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+84064|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+6c26d|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1545e|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+16c30|C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp+1f3c2 154100x800000000000000097653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.921{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe2.39.0.124Process HackerProcess Hackerwj32ProcessHacker.exe"C:\Program Files\Process Hacker 2\ProcessHacker.exe"C:\Program Files\Process Hacker 2\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=B365AF317AE730A67C936F21432B9C71,SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4,IMPHASH=3695333C60DEDECDCAFF1590409AA462{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp" /SL5="$207DA,1874675,150016,C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe" 10341000x800000000000000097652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.917{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.913{F172AD64-7634-63C6-B901-00000000B002}49005092C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.913{F172AD64-7634-63C6-B901-00000000B002}49005092C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.913{F172AD64-7634-63C6-B901-00000000B002}49005092C:\Windows\Explorer.EXE{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.880{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.870{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.5127Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=949437310EC0EB86F6B5985189C513C8,SHA256=A3751817F2212BFA84BC21D22B06DDEC1B64DD54C532F5902AED9BDD934C99DA,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 11241100x800000000000000097646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.846{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000097645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.845{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A733799FC36420C2957F5183A67A9948,SHA256=8DC9B2B7D2D108C849C24A1CE19C5ED8F38185CCAA77114F40DC8A62096300C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000097644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.844{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6BA7961536C27DE27F164D95AFC1DBEEC205F4102023-01-17 10:35:46.844 11241100x800000000000000097643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.809{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000097642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.809{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C19204E29CB7996ABD901963F086F5,SHA256=707657A1250508A8FC0809C62266095FA251FA955D9D25CC5BC788F5800DA089,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000097641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.808{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\72CB76E5E14815F6BEC4210B58DAB622311BF2CC2023-01-17 10:35:46.808 10341000x800000000000000097640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.776{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.776{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.776{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.775{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000097634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.763{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C937CE1B55015A4F530F5CC35D574B009B7F5BA2023-01-17 10:35:46.763 11241100x800000000000000097633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.754{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\649B65D72E913EEE38735F5187A00F985250D93A2023-01-17 10:35:46.754 11241100x800000000000000097632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.744{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\14326544D93D38E8CAADE5BBCBDD91413A1ED1B52023-01-17 10:35:46.744 10341000x800000000000000097631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.736{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+97c315|C:\Program Files\Mozilla Firefox\xul.dll+97b599|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+820087|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e 734700x800000000000000097630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.733{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000097629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.732{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 11241100x800000000000000097628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.732{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1009240B3DA8C69259F60BF2D054DF71B0086E032023-01-17 10:35:46.731 10341000x800000000000000097627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.728{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.726{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.725{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000097624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.724{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000097623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.723{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000097622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.720{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 10341000x800000000000000097621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.720{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.719{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000097619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.719{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000097618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.719{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 10341000x800000000000000097617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.719{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.718{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000097615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.718{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000097614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.715{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000097613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.715{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.715{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.714{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 10341000x800000000000000097610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.714{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.713{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.713{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000097607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.712{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000097606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.710{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000097605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.709{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000097604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.709{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000097603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.708{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000097602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.707{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000097601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.707{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000097600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.706{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000097599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.704{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000097598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.703{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000097597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.700{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.700{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.700{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000097594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.698{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000097593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.696{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000097592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.696{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000097591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.695{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000097590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.695{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 10341000x800000000000000097589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.692{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.692{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.691{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000097586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.689{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x800000000000000097585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.687{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.687{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 10341000x800000000000000097583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.687{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.686{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x800000000000000097581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.686{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.686{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x800000000000000097579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.686{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.686{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000097577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.686{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000097576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.686{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000097575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.682{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000097574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.682{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000097573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.680{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000097572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.679{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000097571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.678{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000097570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.678{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000097569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.674{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000097568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.673{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000097567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.669{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000097566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.669{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 11241100x800000000000000097565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.659{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A6995F311E0F7F7231F3B924FADE5770F0B5CD962023-01-17 10:35:46.659 734700x800000000000000097564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.642{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 734700x800000000000000097563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.645{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000097562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.644{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000097561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.644{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000097560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.643{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x800000000000000097559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.628{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.628{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.627{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000097556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.624{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000097555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.620{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000097554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.620{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000097553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.620{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.619{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000097551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.614{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x800000000000000097550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.613{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.608{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000097548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.606{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000097547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.598{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000097546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.597{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 11241100x800000000000000097545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.595{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BF6AB578F07A2DBC6B9F58EBADBD985608F896532023-01-17 10:35:46.595 11241100x800000000000000097544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.595{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A611551F6CD9397022AF91A57CC55EC5ECC30BED2023-01-17 10:35:46.594 734700x800000000000000097543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.594{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000097542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.592{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000097541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.592{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000097540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.591{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000097539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.590{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x800000000000000097538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.585{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000097537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.584{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000097536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.583{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000097535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.583{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000097534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.575{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 734700x800000000000000097533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.582{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000097532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.577{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000097531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.574{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000097530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.573{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.566{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.565{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.565{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.565{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.565{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.565{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.542{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.542{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.542{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.541{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.541{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.540{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000097517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.533{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000097516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.532{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD33E0D08B63D607924D2063B274008,SHA256=3928664B0CE4FAF95FAE037F449A8614B4442FB50CEBE3AA90DB5E16AD836E9D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000097515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\26411D9B2689AD670BC283050C7E1A78D50A86192023-01-17 10:35:46.518 10341000x800000000000000097514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.511{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.511{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.511{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.511{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.511{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000097509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.511{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000097508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.393{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49748-false216.105.38.9-443https 354300x800000000000000097507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.370{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52693- 11241100x800000000000000097506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.387{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000097505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.387{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C7F7A9CA949B23CF3E10409C749D5E,SHA256=11972327EE8C26DA49C7C0B8F3DA5AF64FAA050E283A8FB48E74905C29A53769,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000097504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.337{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D65AA07AB7D73F0FB5ED1CBCE5F4B6E3EDB460CF2023-01-17 10:35:46.337 18141800x800000000000000097503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.333{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-23C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.333{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-23C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.332{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000097500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.331{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000097499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.331{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000097498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.319{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.317{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000097496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.316{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000097495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.316{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-22C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.316{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-22C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000097493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.315{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-21C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.315{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-21C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.314{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 18141800x800000000000000097490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.313{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-20C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.313{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-20C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.313{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000097487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.312{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000097486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.310{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000097485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.310{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000097484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.309{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000097483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.309{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000097482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.309{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 18141800x800000000000000097481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.309{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.17771066193798401814C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.309{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.17771066193798401814C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.309{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000097478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.308{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000097477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.308{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000097476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.308{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.25.15990670C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.302{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000097474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.300{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000097473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.290{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000097472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.297{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.294{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000097470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.290{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000097469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.295{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x800000000000000097468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.295{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.295{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000097466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.294{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.18167760549610788758C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.294{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.18167760549610788758C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000097464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.294{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.293{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.293{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 18141800x800000000000000097461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.293{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.24.57208220C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.292{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000097459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.291{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000097458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.291{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000097457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.291{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.9051733830138787685C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.290{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.9051733830138787685C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000097455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.290{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.7853363884473301C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.290{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.7853363884473301C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000097453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.289{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9aaa|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000097452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.289{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.27.96621640C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000097451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.288{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000097450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.288{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.26.12348550C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000097449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.287{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000097448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.287{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.276{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000097446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.276{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000097445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.281{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000097444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.276{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x800000000000000097443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.283{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000097442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.283{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000097441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.283{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000097440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:46.283{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.281{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000097438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.277{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000097437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.277{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000097436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.276{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000097435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.276{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000097434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.275{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000097433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.275{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000097432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.275{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000097431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.274{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000097430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.274{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000097429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.273{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000097428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.273{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000097427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.273{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000097426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.272{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000097425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.271{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000097424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.270{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000097423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.270{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000097422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.270{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000097421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.269{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000097420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.269{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000097419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.269{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000097418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.269{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000097417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.268{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000097416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.267{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000097415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.266{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000097414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.265{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000097413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.265{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.265{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000097411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.263{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000097410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.263{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000097409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.239{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000097408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.239{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000097407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.261{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000097406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.239{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000097405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.257{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000097404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.257{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000097403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.257{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000097402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.257{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000097401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.257{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000097400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.257{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000097399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.253{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000097398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.253{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000097397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.253{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000097396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.253{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.253{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000097394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.253{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.247{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.247{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.247{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.247{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.232{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x800000000000000097388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.247{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000097387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.247{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.232{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 154100x800000000000000097385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.247{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.27.966216405\127924816" -childID 24 -isForBrowser -prefsHandle 7956 -prefMapHandle 8632 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d14fcbe-6682-40a5-8c14-814dafa4cbc7} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 9064 1793e1f0558 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000097384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.231{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x800000000000000097383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.243{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.242{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.242{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.242{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.242{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.242{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.241{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000097357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.239{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.27.96621640C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.233{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000097355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.232{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000097354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.232{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000097353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.231{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000097352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.231{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000097351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.231{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000097350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.231{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000097349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.231{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000097348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.230{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000097347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.230{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000097346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.229{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000097345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.229{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000097344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.229{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000097343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.229{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000097342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.229{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000097341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.228{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000097340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.228{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000097339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.228{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000097338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.228{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000097337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.224{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000097336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.224{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000097335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.224{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000097334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.224{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000097333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.224{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000097332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.224{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000097331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.208{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000097330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.208{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000097329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.224{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000097328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.212{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000097327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.220{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000097326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.188{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000097325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.188{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000097324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.188{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000097323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.184{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000097322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.184{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000097321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.188{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000097320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.204{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000097319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.204{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000097318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.204{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000097317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.196{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000097316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.196{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000097315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.196{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000097314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.164{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.168{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.168{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.188{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000097310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.188{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000097309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.188{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 354300x800000000000000097308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.300{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49747-false216.105.38.9-443https 354300x800000000000000097307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.287{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53125- 354300x800000000000000097306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.287{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49726- 354300x800000000000000097305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.286{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49228- 354300x800000000000000097304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.167{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49746-false8.43.72.62-443https 354300x800000000000000097303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.113{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49745-false69.175.41.32sovrn-193627-chi03-placeholder443https 354300x800000000000000097302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.102{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49744-false68.67.179.89565.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net443https 354300x800000000000000097301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.088{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49743-false3.230.239.153ec2-3-230-239-153.compute-1.amazonaws.com443https 354300x800000000000000097300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.088{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49742-false3.230.239.153ec2-3-230-239-153.compute-1.amazonaws.com443https 354300x800000000000000097299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.087{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49741-false3.230.239.153ec2-3-230-239-153.compute-1.amazonaws.com443https 354300x800000000000000097298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.086{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49740-false3.230.239.153ec2-3-230-239-153.compute-1.amazonaws.com443https 354300x800000000000000097297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.084{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49738-false3.230.239.153ec2-3-230-239-153.compute-1.amazonaws.com443https 354300x800000000000000097296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.083{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49739-false3.230.239.153ec2-3-230-239-153.compute-1.amazonaws.com443https 354300x800000000000000097295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.082{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65059- 354300x800000000000000097294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:44.065{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62658- 734700x800000000000000097293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.160{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000097292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.164{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000097291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.164{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000097290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.148{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000097289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.156{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000097288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.148{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000097287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.152{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000097286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.156{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 11241100x800000000000000097285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.172{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2C6DE2808DAF6C137EA1E2D3F4C9041B637209E22023-01-17 10:35:27.142 734700x800000000000000097284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.168{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000097283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.168{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000097282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.168{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000097281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.168{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000097280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.164{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000097279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.164{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000097278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.164{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000097277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.137{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000097276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.164{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000097275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.160{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000097274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.160{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000097273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.160{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000097272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.160{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000097271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.160{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 734700x800000000000000097270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.160{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000097269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.156{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000097268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.156{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000097267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.156{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000097266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.156{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000097265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.156{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000097264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.156{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000097263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.152{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000097262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.152{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000097261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.152{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000097260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.152{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000097259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.152{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000097258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.152{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000097257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.152{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000097256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.148{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000097255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.148{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000097254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.148{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000097253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.148{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.148{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000097251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.148{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.143{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.143{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.142{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.142{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000097246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.142{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.142{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000097244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.141{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.26.123485502\1887282343" -childID 23 -isForBrowser -prefsHandle 7716 -prefMapHandle 4932 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c678ce5-1265-4932-97e1-bc83bb086366} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 8060 1793e15be58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000097243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.140{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.140{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.140{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.140{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.140{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.140{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.139{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.139{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.139{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.139{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.139{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.138{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.138{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.138{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.138{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.138{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.137{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.137{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.137{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.137{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.137{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.136{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.136{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.136{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.136{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.135{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000097217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.134{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.26.12348550C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.133{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000097215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.132{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.109{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000097213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.132{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000097212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.132{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000097211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.132{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.125{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.125{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.125{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.125{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.125{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000097205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.124{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000097204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.124{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.25.159906700\1381301445" -childID 22 -isForBrowser -prefsHandle 7304 -prefMapHandle 7580 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c761f6d-ebbd-495e-805c-25e527b25c7a} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7876 1793e04ba58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000097203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.121{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.117{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.113{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.113{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000097177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.113{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.25.15990670C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.113{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000097175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.109{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000097174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.109{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000097173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.109{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.105{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.105{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.105{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.105{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000097168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.105{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.105{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000097166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.104{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.24.572082202\599367602" -childID 21 -isForBrowser -prefsHandle 8268 -prefMapHandle 7452 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f77f2a5-b914-4f44-9158-43079625ebcc} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7624 1793e04a558 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000097165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000097154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 10341000x800000000000000097153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.101{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000097151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C2CFDE370B1F2C1381BD4C65160B8D,SHA256=9846C93DB8BEAEAAC839917488DC47DBDC1125188BF72F65D16C4667742C32EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000097150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.097{F172AD64-6CE6-63C6-0B00-00000000B002}624752C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000097137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.093{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\89904D344A453295A054EC6C9F99E09F190DF9842023-01-17 10:35:46.093 17141700x800000000000000097136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:46.093{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.24.57208220C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000097135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.089{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+45a2cc6|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22 23542300x800000000000000069949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:47.481{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4703B160C0D3EC25DE3A0FA55C85FA,SHA256=F8AD02091D7083B66E8BA5E546B5132A1216678516499E60A291207E8DD33A66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.832{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9C300F9DCAC6B3C3202AC4C782FB07304F2BCCAD2023-01-17 10:35:47.832 11241100x800000000000000098252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.696{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0D2DCDAB1843A4CD9E8E6BE59400CFEFEFCCE73F2023-01-17 10:35:47.696 11241100x800000000000000098251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.640{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\EAF31091DE00254FE05D4331F97707F5DCBBC4952023-01-17 10:19:32.792 23542300x800000000000000098250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.640{F172AD64-7A02-63C6-A602-00000000B002}7764ATTACKRANGE\AdministratorC:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\EAF31091DE00254FE05D4331F97707F5DCBBC495MD5=09012E82FFF3D34AFBFAB8F66DBF7802,SHA256=E038F928A6022615C1E666263F1817A987C07BF9BDF93D57A1C93F17DD7408AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.636{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\06766C829C3ED62E432E45C462600E41FF5980822023-01-17 10:35:47.636 11241100x800000000000000098248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.636{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Keys2023-01-17 10:35:47.634 11241100x800000000000000098247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.608{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\EAF31091DE00254FE05D4331F97707F5DCBBC4952023-01-17 10:19:32.792 23542300x800000000000000098246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.607{F172AD64-7A02-63C6-A602-00000000B002}7764ATTACKRANGE\AdministratorC:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\EAF31091DE00254FE05D4331F97707F5DCBBC495MD5=512BFA021324751B10972FD19EEA52F2,SHA256=97A0D32D089B09F032ED037B573393D09C5E9CA1311A54B590B01F8F37BA464A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.577{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2FC33D926064C50420CDAAC969A591D73A7DB8552023-01-17 10:35:47.577 11241100x800000000000000098244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.511{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.510{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15C3AA47F6702D7CDD3BCFAA1F99105,SHA256=9A9B419F0C5708B5B299742CBDE5FD401A3EB06C3990B9D7C5E825891EFB86F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.478{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.478{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.478{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.478{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.478{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.478{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000098236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.462{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0,IMPHASH=1277B5BCF0437BEA5158FFB1086840B6trueMicrosoft WindowsValid 10341000x800000000000000098235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.412{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.412{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.411{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.371{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.371{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.370{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.369{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.369{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.369{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.369{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.368{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.367{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.367{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.367{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.366{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.366{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.365{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.365{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.365{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.365{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.364{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.364{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.364{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.364{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.364{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.364{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.362{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.362{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.362{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.361{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.361{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.361{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.361{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.360{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.360{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.359{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.359{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.337{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88ED,IMPHASH=6097EA32A6AE2378711DDF884725A2AFtrueMicrosoft WindowsValid 10341000x800000000000000098197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.358{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.358{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.358{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.358{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.357{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.357{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.357{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.355{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.355{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.354{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.354{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.353{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.353{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000098184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:47.353{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 10341000x800000000000000098183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.352{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.352{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000098181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.352{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML.TMP2023-01-17 10:35:47.352 10341000x800000000000000098180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.351{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.351{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.351{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.350{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.350{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.349{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000098174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:47.349{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D769BB51-6658-4EA8-AE97-39FC12592D5B\Config SourceDWORD (0x00000001) 13241300x800000000000000098173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:47.349{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D769BB51-6658-4EA8-AE97-39FC12592D5B\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D769BB51-6658-4EA8-AE97-39FC12592D5B.XML 534500x800000000000000098172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.349{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe 11241100x800000000000000098171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.349{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_D769BB51-6658-4EA8-AE97-39FC12592D5B.XML.TMP2023-01-17 10:35:47.348 10341000x800000000000000098170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.348{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.348{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.345{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.342{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.341{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.340{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.340{F172AD64-79F7-63C6-9F02-00000000B002}7440ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\processhacker-2.39-setup.exeC:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpMD5=1C96ED29E0136825E06F037BF10B2419,SHA256=B10CF8CDF541CA0DD6DF79E66FB4B0854DCAC717ABA034BA0C4961BFF92FD021,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000098163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.340{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.338{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.338{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.336{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.336{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.333{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.331{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.330{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.329{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.318{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90,IMPHASH=158FC41AF95869DAD152F6AD98D3B1B5trueMicrosoft WindowsValid 10341000x800000000000000098153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.324{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000098152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.324{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp 10341000x800000000000000098151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.323{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.323{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7631-63C6-A501-00000000B002}1960C:\Windows\system32\csrss.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.321{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.321{F172AD64-6CE6-63C6-0B00-00000000B002}624676C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.320{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.320{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.320{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.318{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7631-63C6-A501-00000000B002}1960C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.317{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.315{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.315{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.313{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.312{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.310{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.310{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.309{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.308{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.307{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.306{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.305{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.304{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.303{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.287{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94C,IMPHASH=98E0DBCEA076EF80E7DE241072E34656trueMicrosoft WindowsValid 10341000x800000000000000098128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.303{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.301{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.301{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.300{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.300{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.298{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.297{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.296{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.296{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.265{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.5427 (rs1_release.220929-2054)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=042BC1A44912D2421330C30291BC7AA1,SHA256=FBE69152BD0294AC80715FA35B0F8DE59A29DBE9DFC5E5041CB8AA6BB8B790DE,IMPHASH=9A2F821D250C4CEBC0627590331B869DtrueMicrosoft WindowsValid 10341000x800000000000000098118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.293{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.293{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.293{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.291{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.290{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.289{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.288{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.263{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.5427 (rs1_release.220929-2054)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=398C0C74B6EAB81F28413187CB31C3FC,SHA256=FDC3478B768C9666A82CFA7B5F78EB846F9C466C0FB9A3CE26B3E865A605BBF9,IMPHASH=1278B10B4CD792CEC37AF93D76A387ECtrueMicrosoft WindowsValid 10341000x800000000000000098110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.288{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.288{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.287{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.286{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.285{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.285{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 10341000x800000000000000098104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.284{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.284{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.284{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.281{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.281{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.255{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=44DF25F229E9374FA1290BE1CA03026B,SHA256=A446A296E85934FD9D10D7BD5B086FE6B4972FD7E93D4CC0ADC1068DD7A5AD81,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 10341000x800000000000000098098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.279{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.277{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.277{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.276{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.276{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x800000000000000098093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.272{F172AD64-7634-63C6-B901-00000000B002}4900404C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.272{F172AD64-7634-63C6-B901-00000000B002}4900404C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.272{F172AD64-7634-63C6-B901-00000000B002}4900404C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.271{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x800000000000000098089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.270{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x800000000000000098088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.269{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6,IMPHASH=72061958A1119B16F6B4694A68C7F8CBtrueMicrosoft WindowsValid 734700x800000000000000098087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.268{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 23542300x800000000000000098086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.268{F172AD64-79F7-63C6-A002-00000000B002}4876ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-2E3UC.tmp\_isetup\_shfoldr.dllMD5=92DC6EF532FBB4A5C3201469A5B5EB63,SHA256=9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87,IMPHASH=95F81563369971605FB978131E2F7F51truetrue 10341000x800000000000000098085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.267{F172AD64-7634-63C6-B901-00000000B002}49005092C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.267{F172AD64-7634-63C6-B901-00000000B002}49005092C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.266{F172AD64-7634-63C6-B901-00000000B002}49005092C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.266{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\gpapi.dll10.0.14393.4467 (rs1_release.210604-1844)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=96BBBC9AD606CF5EBAF525E3AB1C69A5,SHA256=32F0EA9185A6E1DE26E3276BAAB0FB5ED72940D34FE5FFDF5331D91E42794124,IMPHASH=54A7A105E11720BE50C587CF0CFA8828trueMicrosoft WindowsValid 734700x800000000000000098081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.266{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000098080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.265{F172AD64-7634-63C6-B901-00000000B002}4900404C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.264{F172AD64-79F7-63C6-A002-00000000B002}4876ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-2E3UC.tmp\_isetup\_setup64.tmpMD5=E4211D6D009757C078A9FAC7FF4F03D4,SHA256=388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95,IMPHASH=F672CB51B1362B8101CC947887B02F34truetrue 734700x800000000000000098078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.262{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000098077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.261{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 10341000x800000000000000098076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.258{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.257{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.256{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.256{F172AD64-7A02-63C6-A602-00000000B002}77647684C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.252{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.250{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.249{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.246{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.246{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.240{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 10341000x800000000000000098066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.245{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.245{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.245{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.245{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.242{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.242{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.240{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.240{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.239{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.239{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.239{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.238{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.238{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.238{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.238{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.238{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.238{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.238{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x800000000000000098046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 10341000x800000000000000098041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F7-63C6-A002-00000000B002}4876C:\Users\ADMINI~1\AppData\Local\Temp\is-PJGC5.tmp\processhacker-2.39-setup.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.237{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F7-63C6-9F02-00000000B002}7440C:\Users\Administrator\Downloads\processhacker-2.39-setup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.236{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.235{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.235{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.235{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.235{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.235{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.235{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.235{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 10341000x800000000000000098017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000098013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 10341000x800000000000000098012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.234{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.233{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.233{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.233{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.233{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.233{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.233{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0235E3525BE5DB4C5C6BD395904FDD01,SHA256=81F24F10605638E9F9D7A39FE89D67115BC357609B5B1D70CB37E7C9C9C20278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.233{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.233{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.232{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.231{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.231{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.231{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.231{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000097987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.231{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.231{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000097985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.231{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.231{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 10341000x800000000000000097982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.229{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.229{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.229{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7631-63C6-A501-00000000B002}1960C:\Windows\system32\csrss.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7631-63C6-A501-00000000B002}1960C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.227{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.228{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.227{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.227{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.227{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.227{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.227{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.227{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.226{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 10341000x800000000000000097931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.225{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0800-00000000B002}488C:\Windows\system32\csrss.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.224{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.223{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0700-00000000B002}480C:\Windows\system32\wininit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.223{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.223{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.223{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x800000000000000097915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.223{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.223{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.223{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.223{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0800-00000000B002}488C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CCA-63C6-0200-00000000B002}304C:\Windows\System32\smss.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0700-00000000B002}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.222{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.221{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0500-00000000B002}408C:\Windows\system32\csrss.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.221{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.221{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.221{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.221{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.221{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.221{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.220{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.220{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.220{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.220{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.220{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.220{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0500-00000000B002}408C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CCA-63C6-0100-00000000B002}4System0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647844C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CCA-63C6-0200-00000000B002}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.218{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.218{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.218{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.218{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.218{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.217{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.217{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.217{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.217{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.217{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0800-00000000B002}488C:\Windows\system32\csrss.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.217{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0800-00000000B002}488C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0700-00000000B002}480C:\Windows\system32\wininit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0700-00000000B002}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0500-00000000B002}408C:\Windows\system32\csrss.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CE6-63C6-0500-00000000B002}408C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CCA-63C6-0200-00000000B002}304C:\Windows\System32\smss.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.216{F172AD64-7A02-63C6-A602-00000000B002}77647848C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CCA-63C6-0100-00000000B002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c04b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+ce3a9|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CCA-63C6-0200-00000000B002}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CCA-63C6-0100-00000000B002}4System0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-6CCA-63C6-0100-00000000B002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.214{F172AD64-7634-63C6-B901-00000000B002}49004040C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E230E5FF)|UNKNOWN(FFFF8AA9E22B3BA2)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x800000000000000097858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.214{F172AD64-7634-63C6-B901-00000000B002}49004040C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E230E5FF)|UNKNOWN(FFFF8AA9E22B3BA2)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca 10341000x800000000000000097857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.214{F172AD64-7634-63C6-B901-00000000B002}49004040C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E230E5FF)|UNKNOWN(FFFF8AA9E22B3BA2)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 734700x800000000000000097856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.159{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll1.5Window Explorer plugin for Process HackerWindow Explorer plugin for Process Hackerwj32WindowExplorer.dllMD5=0E8D04159C075F0048B89270D22D2DBB,SHA256=282696487EA5DC781788D5D8477B977F72B7C70F201C2AF0CFE7E1A9FD8D749A,IMPHASH=807C2A5324CD8C3D21E70814AC733D28trueWen Jia LiuValid 10341000x800000000000000097855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.206{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.206{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.156{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\UserNotes.dll1.6User Notes plugin for Process HackerUser Notes plugin for Process Hackerwj32UserNotes.dllMD5=E48C789C425F966F5E5EE3187934174F,SHA256=FC9D0D0482C63AB7F238BC157C3C0FED97951CCF2D2E45BE45C06C426C72CB52,IMPHASH=DC18317FE7617FECA1007AEFAE7060A6trueWen Jia LiuValid 734700x800000000000000097852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.201{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000097851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.200{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000097850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.155{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\Updater.dll1.7Update checker plugin for Process HackerUpdate checker plugin for Process HackerdmexUpdater.dllMD5=6976B57C6391F54DBD2828A45CA81100,SHA256=0C11CDC3765FFB53BA9707B6F99EC17AE4F7334578A935BA7BCBBC9C7BDEED2E,IMPHASH=A4DE2EEC6F8B6D96D60CFA61BCAA6840trueWen Jia LiuValid 10341000x800000000000000097849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.197{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.152{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\ToolStatus.dll2.4ToolStatus plugin for Process HackerToolStatus plugin for Process HackerdmexToolStatus.dllMD5=3788EFFF135F8B17A179D02334D505E6,SHA256=5713D40DEC146DBC819230DAEFE1B886FA6D6F6DBD619301BB8899562195CBAB,IMPHASH=EB997C25E2337A8DCEB7FA463CE2B04DtrueWen Jia LiuValid 10341000x800000000000000097847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.195{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.192{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 354300x800000000000000097845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.193{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49751-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x800000000000000097844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.176{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50842- 354300x800000000000000097843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.110{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50938- 354300x800000000000000097842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:45.072{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local55727- 734700x800000000000000097841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.149{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\SbieSupport.dll1.0Sandboxie Support for Process HackerSandboxie Support for Process Hackerwj32SbieSupport.dllMD5=37CBFA73883E7E361D3FA67C16D0F003,SHA256=57C56F7B312DC1F759E6AD039AAC3F36CE5130D259EB9FAAD77239083398308B,IMPHASH=72EE8E9111090FD44C3CCA631502D2BBtrueWen Jia LiuValid 734700x800000000000000097840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.145{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll1.7Online Checks plugin for Process HackerOnline Checks plugin for Process HackerdmexOnlineChecks.dllMD5=12C25FB356E51C3FD81D2D422A66BE89,SHA256=7336D66588BBCFEA63351A2EB7C8D83BBD49B5D959BA56A94B1FE2E905A5B5DE,IMPHASH=04815C367F41620755869BB42BD07B00trueWen Jia LiuValid 734700x800000000000000097839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.181{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x800000000000000097838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.145{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\NetworkTools.dll1.6Network Tools plugin for Process HackerNetwork Tools plugin for Process HackerdmexNetworkTools.dllMD5=D6BED1D6FDBED480E32FDD2DD4C13352,SHA256=476AA6AF14DD0B268786E32543B9A6917A298D4D90E1015DAC6FB2B522CF5D2E,IMPHASH=708B686E80E093711F38091D787A01BDtrueWen Jia LiuValid 734700x800000000000000097837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.177{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x800000000000000097836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.141{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll1.4Hardware Devices plugin for Process HackerHardware Devices plugin for Process HackerdmexHardwareDevices.dllMD5=A46C8BB886E0B9290E5DBC6CA524D61F,SHA256=ACD49F2AA36D4EFB9C4949E2D3CC2BD7AEE384C2CED7AA9E66063DA4150FCB00,IMPHASH=119ABB51B3DE6C8E65225EE81E503143trueWen Jia LiuValid 734700x800000000000000097835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.137{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll1.16Extended Tools plugin for Process HackerExtended Tools plugin for Process Hackerwj32ExtendedTools.dllMD5=BC61E6FB02FBBFE16FB43CC9F4E949F1,SHA256=F2805E0F81513641A440F1A21057A664961C22192CB33FCA3870362C8F872D87,IMPHASH=9D757D0F8F00E9133C716E8E21D6B1B0trueWen Jia LiuValid 11241100x800000000000000097834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.165{F172AD64-6CCA-63C6-0100-00000000B002}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTPhEtKernelLogger.etl2023-01-17 10:35:47.165 734700x800000000000000097833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.164{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000097832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.163{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000097831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.137{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll1.10Extended Services for Process HackerExtended Services for Process Hackerwj32ExtendedServices.dllMD5=4858BDB7731BF0B46B247A1F01F4A282,SHA256=5AE7C0972FD4E4C4AE14C0103602CA854377FEFCBCCD86FA68CFC5A6D1F99F60,IMPHASH=8077ACD95550E90DB0AFD6FB1689E912trueWen Jia LiuValid 11241100x800000000000000097830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.162{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\INF\basicrender.PNF2023-01-17 10:35:47.162 734700x800000000000000097829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.160{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000097828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.159{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.159{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.159{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000097825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.133{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll1.3Extended Notifications for Process HackerExtended Notifications for Process Hackerwj32ExtendedNotifications.dllMD5=BE4DC4D2D1D05001AB0BB2BB8659BFAD,SHA256=61E8CD8DE80A5C0D7CED280FE04AD8387A846A7BF2EE51BCBBA96B971C7C1795,IMPHASH=ACD7837A0F8690FA4B5ADA849F2560B0trueWen Jia LiuValid 734700x800000000000000097824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.157{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000097823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.155{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000097822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.154{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000097821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.154{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000097820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.154{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000097819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.153{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000097818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.128{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Program Files\Process Hacker 2\plugins\DotNetTools.dll1.6.NET tools plugin for Process Hacker.NET tools plugin for Process Hackerwj32DotNetTools.dllMD5=B16CE8BA8E7F0EE83EC1D49F2D0AF0A7,SHA256=B4CC0280E2CAA0335361172CB7D673F745DEFC78299DED808426FFBC2458E4D9,IMPHASH=C3F8D8CDDBA6C99A5F0F2AB21F6F89F6trueWen Jia LiuValid 11241100x800000000000000097817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.150{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\46719718607ED1A8B6FFFFB36947FD2F_0E3C16E78CF68BDF359020744C5958712023-01-17 10:35:47.150 11241100x800000000000000097816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.150{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\46719718607ED1A8B6FFFFB36947FD2F_0E3C16E78CF68BDF359020744C5958712023-01-17 10:35:47.149 18141800x800000000000000097815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:47.149{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-24C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:47.149{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-24C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.145{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000097812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.145{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000097811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.145{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 11241100x800000000000000097810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.145{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000097809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.145{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B8DC704682C56D1851913BBD43F140B,SHA256=FC87B5A49E7D4D8D5516D8A7681BD531036C86CEECB6488179F40D46C0EAE6B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000097808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.133{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000097807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.133{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000097806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.133{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000097805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:47.133{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10647501959866131825C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000097804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:47.133{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10647501959866131825C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.133{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000097802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.128{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000097801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:47.128{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.28.62024789C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000097800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.125{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000097799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:47.125{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000097798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000097797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000097796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 644600x800000000000000097795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.117C:\Program Files\Process Hacker 2\kprocesshacker.sysMD5=1B5C3C458E31BEDE55145D0644E88D75,SHA256=70211A3F90376BBC61F49C22A63075D1D4DDD53F0AEFA976216C46E6BA39A9F4,IMPHASH=F86759BB4DE4320918615DC06E998A39trueWen Jia LiuValid 734700x800000000000000097794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000097793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000097792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000097791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000097790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000097789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000097788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000097787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.121{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 13241300x800000000000000097786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localT1031,T1050SetValue2023-01-17 10:35:47.121{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KProcessHacker3\StartDWORD (0x00000004) 13241300x800000000000000097785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:47.121{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KProcessHacker3\DeleteFlagDWORD (0x00000001) 734700x800000000000000097784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.117{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000097783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.117{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000097782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.117{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000097781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.117{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000097780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.117{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000097779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.117{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000097778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.117{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 13241300x800000000000000097777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:47.117{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeHKLM\System\CurrentControlSet\Services\KProcessHacker3\Parameters\SecurityLevelDWORD (0x00000001) 13241300x800000000000000097776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:47.117{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KProcessHacker3\DisplayNameKProcessHacker3 13241300x800000000000000097775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localT1031,T1050SetValue2023-01-17 10:35:47.117{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KProcessHacker3\ImagePath\??\C:\Program Files\Process Hacker 2\kprocesshacker.sys 13241300x800000000000000097774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:47.117{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KProcessHacker3\ErrorControlDWORD (0x00000000) 13241300x800000000000000097773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localT1031,T1050SetValue2023-01-17 10:35:47.117{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KProcessHacker3\StartDWORD (0x00000003) 13241300x800000000000000097772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:35:47.117{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KProcessHacker3\TypeDWORD (0x00000001) 734700x800000000000000097771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.113{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000097770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.113{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000097769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.113{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000097768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.113{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.113{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000097766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.113{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000097765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.113{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000097764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.109{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 11241100x800000000000000097763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.109{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000097762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.109{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 23542300x800000000000000097761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.109{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010F1B6847D990DE1B82F3F0F8A9C8FB,SHA256=ACE6C1B29828BD59350777AFEC208C5D3FB9ED70A58875D589215693AAA47854,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000097760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.109{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000097759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.109{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000097758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.109{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000097757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.109{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000097756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.105{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000097755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.105{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000097754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.105{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000097753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.105{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000097752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.105{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000097751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.105{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000097750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.105{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.101{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000097744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000097743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.099{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.28.620247892\2112125913" -childID 25 -isForBrowser -prefsHandle 7428 -prefMapHandle 7416 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92cd47b7-28bf-4ef9-aaaa-b134e99bba08} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7412 17932bf6858 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000097742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.097{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.092{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000097716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:47.092{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.28.62024789C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000097715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.036{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNF2016-09-12 11:34:04.497 23542300x800000000000000097714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.036{F172AD64-6CE6-63C6-0A00-00000000B002}616NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNFMD5=99BCD354DCE57E48F31947E8004AB711,SHA256=F623053BD5AD7A1223A5E5020F1C5FBDA77D23002C13C4F934EF4E36FA17C920,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000097713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.011{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exeC:\Windows\INF\oem19.PNF2023-01-16 12:47:30.279 23542300x800000000000000097712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.007{F172AD64-6CE6-63C6-0A00-00000000B002}616NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\oem19.PNFMD5=9D359D3E4A611906B3C3DF2465870708,SHA256=0190B3DD26346BB097C134CDD52D9E284CC2F722006A711C09005E38EFFC0F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:48.684{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376EC773113194D349CC407DB5E53130,SHA256=1715298BA92E5762D3406A09847ABB1ADB46ED8BCDC80DE7D013EDF13C836208,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.608{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.608{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CD39309058A95858BE1518713586B3,SHA256=07BEE521713B3D0ABA58AC868CD30425887558749FE4F7708F91F74F5A28E690,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.568{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.568{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC98998B5FC09E8205D958AAECEE6C22,SHA256=38DA325137D2570FBB2DC6235FAEE94035883E795D22D3C1A8E77D1E05D70A30,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.568{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 13:16:44.659 23542300x800000000000000098311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.568{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=52CE763E44A610217AD13D35975B349A,SHA256=8381903A476CA28C5D84E4F4411FF73C5944970922269515FE8A1AA7E9605A74,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.474{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49198- 354300x800000000000000098309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.441{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49753-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local135epmap 354300x800000000000000098308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.441{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local49753-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local135epmap 354300x800000000000000098307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.431{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local55842- 354300x800000000000000098306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.406{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55842- 10341000x800000000000000098305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.300{F172AD64-6CE6-63C6-0A00-00000000B002}6165072C:\Windows\system32\services.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+4daed|C:\Windows\system32\services.exe+4cda2|C:\Windows\system32\services.exe+4e529|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000098304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:46.191{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49752-false10.0.1.12-8000- 11241100x800000000000000098303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.191{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:35:48.191 10341000x800000000000000098302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.188{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.186{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.186{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000098299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.151{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000098298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.151{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F6ABF24BA790E2BADFAD097283C0E24D,SHA256=87AB30745DBEF837C8286721F1DE4A67F6D5C646B3E009BB27357B93C2DF8EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.148{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.145{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.140{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.138{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.137{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.133{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.129{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.128{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.126{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000098288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.122{F172AD64-6CE8-63C6-1300-00000000B002}680NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDDD559.tmpMD5=1B5C3C458E31BEDE55145D0644E88D75,SHA256=70211A3F90376BBC61F49C22A63075D1D4DDD53F0AEFA976216C46E6BA39A9F4,IMPHASH=F86759BB4DE4320918615DC06E998A39truetrue 10341000x800000000000000098287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.121{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000098286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.119{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\Temp\UDDD559.tmp2023-01-17 10:35:48.118 23542300x800000000000000098285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.119{F172AD64-6CE8-63C6-1300-00000000B002}680NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDDD559.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.118{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\Temp\UDDD559.tmp2023-01-17 10:35:48.118 10341000x800000000000000098283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.112{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.108{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.103{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.096{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.089{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.068{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.060{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.055{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.051{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.051{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.051{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.050{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.050{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.050{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.049{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.049{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.049{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.048{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.048{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.048{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.048{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.047{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.047{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.047{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.045{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.045{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.045{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.041{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.011{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x800000000000000098254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.009{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 23542300x800000000000000069951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:49.771{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE673C97A1026F0E2F0387F20244C43,SHA256=25C2E27CA2FD7D1945A67F3583FB66E32DEF86E7FD43981FA3B24D2108305345,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.639{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.635{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433C3C3462A5A6B1922993445A232DB7,SHA256=D3B7D722B5F6408F120074A01871DDD33FAACF93ECAA7EBAAA2DEDD6C73C4BAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.327{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:35:49.327 354300x800000000000000098327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.301{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49755-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000098326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.301{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49755-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 10341000x800000000000000098325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.193{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.193{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.045{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.045{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.045{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 22542200x800000000000000098320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:47.323{F172AD64-7A02-63C6-A602-00000000B002}7764wj32.org0::ffff:162.243.25.33;C:\Program Files\Process Hacker 2\ProcessHacker.exe 10341000x800000000000000098319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.016{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.012{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.012{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000069953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:50.865{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4C3CC67AA08B02531A168485B2714D,SHA256=39AD67F93CDC9AF8AB3189B151FB7C3C6F144637A8E3D3ED736ADCA103ACB8CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.884{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+97c315|C:\Program Files\Mozilla Firefox\xul.dll+97b599|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+820087|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e 11241100x800000000000000098364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.688{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.688{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FCA973663A38D16777678F5FD2FF1B,SHA256=495C5722C64A13FD89C063C299782ACFAED89942A3DF0A9E53E51ABFB43ECBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:48.171{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50378-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000098362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.552{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.551{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000098360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.480{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journalMD5=AA394F0C3F4B77E7DA2B8087FCE87795,SHA256=0C690728A829C29C5BA168F34EFFA3566AC934BCCAAC779040F470F98E43BEBF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.474{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\usage2023-01-17 10:35:30.057 23542300x800000000000000098358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.474{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\usageMD5=1B9DE7FDF912FF7B99FFA6CAA2ABFAF3,SHA256=7694D7F81089C724F091A576F25C41B36FCB3BE750DC1DD07D5E53E9CC9BC758,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.472{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\usage-journal2023-01-17 10:35:50.472 11241100x800000000000000098356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journal2023-01-17 10:35:50.471 11241100x800000000000000098355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.444{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db2023-01-17 10:35:50.444 734700x800000000000000098354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.391{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000098353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.390{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000098352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.388{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000098351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.387{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000098350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.385{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000098349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.385{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000098348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.383{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.183{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.180{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.174{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.156{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000098343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.101{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EC8C76F71171765AD4F9656B1D6BD4870B9FDA192023-01-17 10:35:50.101 11241100x800000000000000098342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.101{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CCC257DC65375CFA55E4A23C6C95CE133992038A2023-01-17 10:35:50.101 11241100x800000000000000098341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.101{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\97BD1C7F6F47D894A58E5F34278E6FECDCB8FF7C2023-01-17 10:35:28.486 11241100x800000000000000098340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.101{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E37F93B4D9AF832991DE07529F18224C81C1D15B2023-01-17 10:35:25.516 11241100x800000000000000098339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.101{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0802EEA194471BDF9C6D9B034D42A27600E6D12C2023-01-17 10:35:28.486 11241100x800000000000000098338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.097{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\517CA0332064F4344FC1DB0F08D243076B48341E2023-01-17 10:35:28.486 11241100x800000000000000098337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.097{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C0E9E380C64F6C70CB8EF33CB4DDD267A968441A2023-01-17 10:35:50.097 23542300x800000000000000098336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.097{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\23381MD5=8FB83701816D86F7D7ED22F0AA486879,SHA256=73DD621EA4FB262F29D87C6D8515B5469C83D1F2DC4128E93ADD231223B719A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.097{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\16501MD5=B1620A57C40BDBD1B69FC698F8F5AB88,SHA256=2E836CCB39CC9B3822E61A94E637CDFAF97044F2078C18A0470E401036EB99AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.093{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\29564MD5=1F95A233F0390DD57C569101C38E8EC4,SHA256=720864C41FA1CA5D95C49D9BC88F4FDE10E12B9D2120FD6C1F6C4704EDEDEB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.093{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\11317MD5=E28DB543B051EDF72873490968265AC8,SHA256=0A0E5A5201656FBAC74493055990E63452B47B0C37BA1FF618879FEDBBEA0DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.093{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\24603MD5=582446D45A4029F4B57E4CFFA9621895,SHA256=B2C83DB5A3B7BD00F76C62F33FB23D30BA1BF31DED3B10ACE7AE2045659F73F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.093{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\4430MD5=AB317B46687022ECE15F302659513A90,SHA256=38287AE39165C7B5A737F6A3BCBBC3830DBB3C6025D6718BE05F6B9592A52890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:51.950{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71EEA6D480FCEE5752490605E49991B9,SHA256=2BDB96BD53D6F65414E8322401F6B741DA89D0ED78963C03E3977DCC8B0BB149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.981{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5E5D68624241DE6DF2EE256A345CDBC9,SHA256=75FCE0C2B6409261405AA7F53F050CFF2298103B6FDF0E0819D0F18A8A82B180,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000098542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.966{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000098541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.966{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 354300x800000000000000098540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.010{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49757-false54.167.205.139ec2-54-167-205-139.compute-1.amazonaws.com443https 354300x800000000000000098539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.007{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51620- 354300x800000000000000098538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.007{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65105- 354300x800000000000000098537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.005{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51653- 354300x800000000000000098536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.998{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49545- 354300x800000000000000098535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.998{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61258- 354300x800000000000000098534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.998{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52349- 354300x800000000000000098533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.996{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64934- 354300x800000000000000098532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.996{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52157- 354300x800000000000000098531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.995{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64577- 354300x800000000000000098530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.995{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52489- 354300x800000000000000098529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:49.994{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62594- 10341000x800000000000000098528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.962{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.962{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.960{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000098525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.958{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000098524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.958{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000098523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.955{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000098522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.954{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.954{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.953{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000098519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.952{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 11241100x800000000000000098518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.950{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x800000000000000098517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.950{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 23542300x800000000000000098516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.950{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381FD6697EC99C094A60E15B828DB389,SHA256=1F911872AEB2A2FD0808E80BBA215CC121AC9D583769AE965D70DAF59A409F0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000098515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.949{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000098514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.949{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000098513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.949{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000098512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.948{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000098511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:51.944{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-25C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:51.944{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-25C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.940{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000098508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.940{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000098507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.940{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000098506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.928{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.928{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000098504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.928{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000098503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:51.928{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.11706455362473464590C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:51.928{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.11706455362473464590C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.928{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.924{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000098499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:51.924{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.29.105664446C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000098498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.920{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000098497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:35:51.920{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000098495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000098494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000098490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000098488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.916{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000098487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000098486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000098485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000098484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000098482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000098479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.912{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000098478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.908{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000098477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.908{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.908{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.908{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.908{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.908{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.908{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.904{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000098470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.904{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000098469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.904{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000098468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.904{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000098467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.904{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000098466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.904{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000098465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.904{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.900{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000098463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.900{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000098462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.900{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000098461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.900{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.900{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000098459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.900{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.896{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.896{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.896{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.896{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.895{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.29.1056644468\1965152284" -childID 26 -isForBrowser -prefsHandle 7328 -prefMapHandle 2252 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e9d864a-e94a-478c-a39c-be80b2f40a9c} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7580 1793e0d1958 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000098451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.892{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.888{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.888{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.888{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.888{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.888{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.888{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.888{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.888{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000098425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:35:51.888{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.29.105664446C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000098424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.808{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.808{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66415E759090515A8CEAA6C7642D0E9A,SHA256=4414CDF8BE40C754D7042BFA527EEE3D1A4A4C3C494AF22F3CCB87DC464B4753,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.720{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.720{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E67BBBDADC931F1CD7EE8FFC23DA54,SHA256=A56CDFB0B6A620BA29887E06231482B107F85A234E9D60DC1FEF23C39EB6D02A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.407{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5722D41FFBC5167F13DAB07642EBE941CCF40F62023-01-17 10:35:51.407 23542300x800000000000000098419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.333{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journalMD5=AC5C82909C5E944DD669592927C3026C,SHA256=6E2CEAAD807A4259C3B0ABA36EF160CE7F8468DBABC22DFEF7070F57F6AB6EC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.321{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\cert9.db-journal2023-01-17 10:35:51.321 10341000x800000000000000098417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.260{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.257{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.256{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A502-00000000B002}4372C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.253{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.251{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.249{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.247{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.245{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000098409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.244{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C19D39AFA58A7F4AB0E80301D3E18775B41985612023-01-17 10:35:51.244 10341000x800000000000000098408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.242{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.240{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.231{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.228{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.226{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.224{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.221{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.218{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.216{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.214{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 354300x800000000000000098398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.131{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49756-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000098397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:48.131{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49756-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 10341000x800000000000000098396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.205{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.204{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.178{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.163{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.162{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.161{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.158{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.157{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.157{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.155{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.141{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.131{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.129{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 11241100x800000000000000098383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.128{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5EB13DED10ED16C847C3867D387DDA55564787B82023-01-17 10:35:51.128 10341000x800000000000000098382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.094{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.088{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.077{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.072{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.070{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.068{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.066{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.063{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.061{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.060{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.058{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000098371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.057{F172AD64-7640-63C6-CB01-00000000B002}61966328C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000098370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.036{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbMD5=B179FADD0892441435E6DB9678430901,SHA256=6375B7D40130D5A77D143ACB40E3D36B695995C2295F52329BB420EF775FC02D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.024{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000098368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.024{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000098367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.024{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000098366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.024{F172AD64-6CE7-63C6-0C00-00000000B002}8323164C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 11241100x800000000000000098585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.954{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000098584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.954{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B10B7653E6BE9AAC08C7ABCCF4A3608,SHA256=EA8F0285E9EC63325762FCF8CFA28C48EE03135BE064AB5D27262A2D3A23D17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.923{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.dbMD5=E125FC59B8D264642C09F69EF0C6284D,SHA256=39C672BCBD9F9FBA4BDFF74E06015E8E4214C912EE6784768CCCDFC95C2A8991,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.895{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.895{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE19D4D736C59FE411C4B314FFC82DB5,SHA256=611473372690956C803F37F745599328B82D909626BA9932603F68C29AA5A8EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.649{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.db2023-01-17 10:35:52.649 354300x800000000000000098579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.402{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49763-false204.62.13.72-443https 354300x800000000000000098578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.383{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64825- 354300x800000000000000098577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.383{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55097- 354300x800000000000000098576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.381{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52728- 10341000x800000000000000098575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.335{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.335{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.335{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.335{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.332{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000098570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.332{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000098569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.322{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52956- 354300x800000000000000098568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.296{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49762-false145.40.89.200-443https 354300x800000000000000098567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.285{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54172- 354300x800000000000000098566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.282{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54671- 354300x800000000000000098565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.217{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49761-false34.197.238.244ec2-34-197-238-244.compute-1.amazonaws.com443https 354300x800000000000000098564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.159{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49760-false192.184.69.252-443https 354300x800000000000000098563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.130{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49759-false35.211.178.172172.178.211.35.bc.googleusercontent.com443https 354300x800000000000000098562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.123{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49758-false68.67.160.132674.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net443https 354300x800000000000000098561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.095{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62232- 10341000x800000000000000098560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000098556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.296{F172AD64-7935-63C6-6402-00000000B002}2296us-east-eb2.3lift.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.294{F172AD64-7935-63C6-6402-00000000B002}2296us-east-eb2.3lift.com052.223.22.214;35.71.139.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.294{F172AD64-7935-63C6-6402-00000000B002}2296eb2.3lift.com0type: 5 na-eb2.3lift.com;type: 5 us-east-eb2.3lift.com;::ffff:35.71.139.29;::ffff:52.223.22.214;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.257{F172AD64-7935-63C6-6402-00000000B002}2296inv-nets.admixer.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.256{F172AD64-7935-63C6-6402-00000000B002}2296inv-nets.admixer.net0204.62.13.72;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.255{F172AD64-7935-63C6-6402-00000000B002}2296inv-nets.admixer.net0::ffff:204.62.13.72;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.159{F172AD64-7935-63C6-6402-00000000B002}2296prebid.a-mo.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.157{F172AD64-7935-63C6-6402-00000000B002}2296prebid.a-mo.net0145.40.89.200;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.156{F172AD64-7935-63C6-6402-00000000B002}2296prebid.a-mo.net0::ffff:145.40.89.200;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.872{F172AD64-7935-63C6-6402-00000000B002}2296zeta-ssp-385516103.us-east-1.elb.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000098546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.871{F172AD64-7935-63C6-6402-00000000B002}2296zeta-ssp-385516103.us-east-1.elb.amazonaws.com03.211.65.60;52.1.249.229;3.213.156.149;34.197.125.228;3.94.46.10;54.88.156.252;3.216.60.139;54.167.205.139;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000098545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.084{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:52.084{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700B7127563DFCBAAB3DF20A26BFB12E,SHA256=5517FAC72F01AF7759765E75D43ACEC6BDB90DF2B08262507F2CC0DD7AB8D480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.470{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.459{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.427{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.411{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.363{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.343{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.330{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.314{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.303{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.296{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.289{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.280{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.256{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.253{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.236{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.226{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.187{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.175{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.163{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.142{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 23542300x800000000000000069962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.137{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B1C0EAC23A87273A9E6A37E0AAB076,SHA256=9A9FA58E70658882C6DB58152298C92E857810527CAA233F3E4CA93F0D9C3B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.133{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.128{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.116{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.107{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000069957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.098{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000069955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:53.096{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000098591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:53.713{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:53.713{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000098589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:53.713{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000098588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:53.495{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-17 09:39:52.340 23542300x800000000000000098587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:53.495{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C9AB906DE80E2CE0A00786DCE6423C2E,SHA256=80489FCCF030F0D306B8E0E15632A3ADCA54EA68907F253CB6F8165D93CE11CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:50.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49764-false35.71.139.29afb83dd09526a6517.awsglobalaccelerator.com443https 23542300x800000000000000069994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:54.247{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02917FAAA48E46053AB275E23DF84C0B,SHA256=088A5482B384164FFE7F789DE1D326E3D223FE55752747C59A1F56186907799A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.125{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local52604- 354300x800000000000000098596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.095{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52604- 354300x800000000000000098595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.094{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55954- 354300x800000000000000098594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.094{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54481- 11241100x800000000000000098593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:54.011{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:54.011{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D050A89008048DBBE8E540150EF2E5,SHA256=1E12D47D84D88EB98B4829AB8B1860626DD3721E9E5B2E32B60CB7B199063DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:55.287{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B6447DA31F5BC612301FA287ECC894,SHA256=306B8459B8DD98A8406B1417E992377049A086D1F098DBCB4E6DF1F5804EA58E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:55.874{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4CADCFACF5F94BC72235320E34A51E165F49720D2023-01-17 10:35:55.874 11241100x800000000000000098604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:55.874{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE69EE1E78F1A6D38A33C00456C038854EED64642023-01-17 10:35:55.874 11241100x800000000000000098603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:55.874{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\667DF9860773CD0EFE2350A3D5CCA781E21BA7FB2023-01-17 10:35:55.874 11241100x800000000000000098602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:55.874{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\750C8FB1D121E0D86751F34C925C482FD806ECA92023-01-17 10:35:55.874 11241100x800000000000000098601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:55.874{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B011D0A8977596D2149C2D18A5C0CA3604E2D0DC2023-01-17 10:35:55.874 354300x800000000000000098600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:51.366{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49765-false10.0.1.12-8000- 11241100x800000000000000098599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:55.035{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:55.035{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F13454403DE5F0EDC8F711120AA3FE,SHA256=ACCF8A04B2E087D31C123C9D8EA3BF7B2B8B31F60EAE348F6A75FE0116EA1987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000069998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:56.381{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FB98ACFC3D984842FDAC1B1BBE39AB,SHA256=9A7B3758ACAEF728CF64CE9E7A7D3F1C1A787E42996A61B913BD9F6CA7A92C8A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:56.061{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:56.061{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0D610D3906034B42E6E822DC7238C8,SHA256=18743EDE0E98FBE8A902A51ABA9728DDD9E13CED33825A51ABDFFA6F7BB930AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000069997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:54.125{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50379-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000069996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:56.005{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:57.465{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1244CD893E492CE5AA06B8D2F7FFDCF4,SHA256=90787B901FE578312E62327409455B9C735651C83ABA83739B8C8A0586F812C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:57.094{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:57.094{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F497C10BB3C0307CC5BAEB93EBEBAEED,SHA256=462D0A1B8F7B309C576592E3DAFDFE77A37C259777A8D2D13D67D41B946A2CC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000069999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:57.010{F6EEFE7F-6CEF-63C6-0D00-00000000B102}7644104C:\Windows\system32\svchost.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:58.558{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE399A9585C2392CCB1C8AD68396757,SHA256=4BB3C383DAE32E659C21F81A6A1A3ED152C9110B927C56D0E1B9FD0A4922196A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:58.535{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+29f0c|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a649|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a8bc|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b|C:\Windows\System32\USER32.dll+f0b2|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4e41|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Process Hacker 2\ProcessHacker.exe+21c81|C:\Program Files\Process Hacker 2\ProcessHacker.exe+21b33|C:\Program Files\Process Hacker 2\ProcessHacker.exe+e2e9e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:58.535{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a516|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a8bc|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b|C:\Windows\System32\USER32.dll+f0b2|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4e41|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Process Hacker 2\ProcessHacker.exe+21c81|C:\Program Files\Process Hacker 2\ProcessHacker.exe+21b33|C:\Program Files\Process Hacker 2\ProcessHacker.exe+e2e9e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000098611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:58.130{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:58.130{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EEB112CA064A56820CA187C4D331E19,SHA256=B82F9334EB08E4619930224BD38AE5DF18099C5A9A6F43B0996A7BD4CD190730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:59.771{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:59.756{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885BCC41A95184AF6E7EB8B410D8EAEA,SHA256=542BD3C53B62379F362CA7CCF707770192FB4BDFEFC6229D107629563B4D7735,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.160{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.160{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4053AD6E4E3D0F328B3852A55E66E713,SHA256=F4797A01E1FC7597EEF81ED4CD92FC0179664ABB2D2E16A417F042361211A676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:00.850{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954B3BF93F6E66F32730F2D15A484FD2,SHA256=2CBD92663870656A8A3058FB9CCB8DC16A794BDD638A05909CD392C5193E9DA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E930634055AA6A0F25DDB905259FA95C991B13A32023-01-17 10:36:00.972 11241100x800000000000000098656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.891{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shader-cache\5f159678edf4208c2023-01-17 10:36:00.890 10341000x800000000000000098655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.833{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 11241100x800000000000000098654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.805{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9C5B4957F0348617C77778FED107855B63E61FF92023-01-17 10:36:00.805 11241100x800000000000000098653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.805{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\60B6D911EBC1065A1C22F12E54469CE6AB462A0E2023-01-17 10:36:00.805 11241100x800000000000000098652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.805{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E7DBC34C74A6A0C3711A3C0700D4B2D300FA61232023-01-17 10:36:00.801 11241100x800000000000000098651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.801{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5437CAA571D6A528BDD03926250280996536AB062023-01-17 10:36:00.801 11241100x800000000000000098650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.801{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8D56E4ED185AD581EF55B6EE1F52CE133FF38D042023-01-17 10:36:00.801 11241100x800000000000000098649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.801{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\04B55F2CB4DFFB3176D6F4FACBE6BE6487EFA1C92023-01-17 10:36:00.801 11241100x800000000000000098648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.801{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\24941274D28312F62E42B691C015B77E6FA1B5062023-01-17 10:36:00.797 11241100x800000000000000098647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.729{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CF43CB916427E3EF4310CBEABC35406B403F5B962023-01-17 10:36:00.729 11241100x800000000000000098646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.669{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3AA3821F5A95D2E7D4EDA154D9588D66CA1097322023-01-17 10:36:00.669 10341000x800000000000000098645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.665{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+97c315|C:\Program Files\Mozilla Firefox\xul.dll+97b599|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+820087|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e 18141800x800000000000000098644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:00.635{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.14256559968573078832C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:00.635{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.14256559968573078832C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000098642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.599{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A302-00000000B002}7276C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.599{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A202-00000000B002}3640C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.599{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A102-00000000B002}7908C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.599{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F0-63C6-9D02-00000000B002}7948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.599{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79F1-63C6-9E02-00000000B002}8096C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.599{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-79EF-63C6-9C02-00000000B002}7768C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000098636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:57.252{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49766-false10.0.1.12-8000- 23542300x800000000000000098635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.527{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite-journalMD5=4F02DAAFC3205CA85999D0B90880DA19,SHA256=5EDB379AE6B9F0195B01EC6886A9CA5DC19EEE9EFA330B9E7386A391A890F37D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A1FDDF6D3A152941583C9B69525004E5D65A26EE2023-01-17 10:36:00.510 11241100x800000000000000098633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.508{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C5173373F4926FBCDCD887E0007C088DEA6EB882023-01-17 10:36:00.508 11241100x800000000000000098632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.505{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\protections.sqlite-journal2023-01-17 10:36:00.505 734700x800000000000000098631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.465{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 11241100x800000000000000098630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.485{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E5E5807AD58F8AD99E3941A8D5BDB608C0CE3C322023-01-17 10:36:00.485 734700x800000000000000098629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.463{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x800000000000000098628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.458{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x800000000000000098627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.452{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42,IMPHASH=F3640F50846C35CCE7151F1E835AE727trueMicrosoft WindowsValid 11241100x800000000000000098626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.458{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\42401714ADA19D1DAA3033486DC11AA44F88A4F52023-01-17 10:36:00.457 11241100x800000000000000098625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.455{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Uninstall Process Hacker 2.lnk2023-01-17 10:35:45.877 23542300x800000000000000098624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.454{F172AD64-6CE8-63C6-1300-00000000B002}680NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Uninstall Process Hacker 2.lnkMD5=C8ADBB9EE6280473183BCA3466920492,SHA256=D96E7563777AC06734DA4943DED24EE89E2A2530FD528A023D43CCF3E18001F7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000098623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.449{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x800000000000000098622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.443{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.443{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.443{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.443{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.443{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000098617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.189{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.189{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA7BDED14ADF2F68D8D092E43A9A8AF,SHA256=322924CECFA149FC6A1DEFE6E05A38AA8ED409839C5EB0CFAABD5969A1C2E68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:00.413{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=954DC3827873ACCF173996EE7FE2B2B5,SHA256=9E03AAD8DF056378C68433238474FAD59BD77F5F16482C3F1650F2D1904E5D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:01.938{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A679B4E6B13B631BFD776A932DD11AF3,SHA256=1ABE6AD23E593B8B74FC0526CDABE14E67D6495C801E90322C001517A0931C34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.940{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D2DED51FAB573B32C748B6AFB53749C7D7BEB90E2023-01-17 10:36:01.940 534500x800000000000000099002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.919{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe 10341000x800000000000000099001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.915{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5E02-00000000B002}3256C:\Windows\system32\conhost.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2c30|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2d4d|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2d4d|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2e4b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+24f34|C:\Program Files\Process Hacker 2\ProcessHacker.exe+23837|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll+611c|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a991|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b 10341000x800000000000000099000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.915{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7922-63C6-5D02-00000000B002}6460C:\Windows\System32\cmd.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2c30|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2d4d|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2e4b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+24f34|C:\Program Files\Process Hacker 2\ProcessHacker.exe+23837|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll+611c|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a991|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b|C:\Windows\System32\USER32.dll+f0b2 10341000x800000000000000098999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.915{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-791E-63C6-5102-00000000B002}4848C:\Users\Administrator\AppData\Roaming\svchost.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2c30|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2e4b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+24f34|C:\Program Files\Process Hacker 2\ProcessHacker.exe+23837|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll+611c|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a991|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b|C:\Windows\System32\USER32.dll+f0b2|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4e41 734700x800000000000000098998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.914{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000098997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.913{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000098996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.910{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.910{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.910{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.909{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.909{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.906{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000098990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.905{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000098989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.904{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000098988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.901{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000098987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.900{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.900{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.900{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000098984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.899{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000098983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.897{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000098982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.896{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000098981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.896{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000098980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.896{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000098979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.895{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000098978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.892{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-28C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.892{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-28C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.891{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000098975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.890{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000098974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.890{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000098973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.877{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.876{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000098971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.875{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000098970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.875{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.3455823145606997714C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.875{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.3455823145606997714C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.875{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000098967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.874{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000098966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.874{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.32.26665399C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000098965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.870{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000098964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.870{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.865{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000098962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.865{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000098961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.865{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.865{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.864{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.864{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000098957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.864{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.863{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000098955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.863{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000098954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.863{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000098953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.862{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000098952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.861{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000098951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.861{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.860{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000098949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.860{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.860{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.860{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000098946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.860{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000098945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.859{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000098944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.858{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.857{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.857{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.856{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.855{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.855{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.854{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000098937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.853{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000098936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.853{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000098935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.852{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000098934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.852{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000098933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.851{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000098932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.851{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.850{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000098930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.849{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000098929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.848{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000098928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.849{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.848{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000098926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.848{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.842{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.842{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.842{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.841{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.841{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.841{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.842{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.32.266653994\64506177" -childID 29 -isForBrowser -prefsHandle 4880 -prefMapHandle 7812 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26b6977b-f80e-4610-9c94-3d688710cc58} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7220 17941024a58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000098918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.840{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.840{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.840{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.840{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.839{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.839{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.839{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.839{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.839{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.839{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.839{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.838{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.838{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.838{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.838{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.838{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.838{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.837{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.837{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.837{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.837{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.837{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.837{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.836{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.836{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.836{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000098892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.834{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.32.26665399C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000098891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E91F4E326AABDA407FC9F960EEFADB94D91584D2023-01-17 10:36:01.796 354300x800000000000000098890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.862{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49775-false216.105.38.9-443https 354300x800000000000000098889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.724{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49774-false52.0.56.130ec2-52-0-56-130.compute-1.amazonaws.com443https 354300x800000000000000098888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.722{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49772-false52.0.56.130ec2-52-0-56-130.compute-1.amazonaws.com443https 354300x800000000000000098887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.722{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49773-false52.0.56.130ec2-52-0-56-130.compute-1.amazonaws.com443https 354300x800000000000000098886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.715{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49771-false52.0.56.130ec2-52-0-56-130.compute-1.amazonaws.com443https 354300x800000000000000098885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.715{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49770-false52.0.56.130ec2-52-0-56-130.compute-1.amazonaws.com443https 354300x800000000000000098884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.714{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49769-false52.0.56.130ec2-52-0-56-130.compute-1.amazonaws.com443https 354300x800000000000000098883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.709{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49768-false8.43.72.62-443https 354300x800000000000000098882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.704{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49767-false68.67.179.166575.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net443https 10341000x800000000000000098881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.789{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+45a2cc6|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22 734700x800000000000000098880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.768{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000098879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.767{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000098878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.764{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.763{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.760{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000098875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.758{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000098874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.757{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000098873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.755{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000098872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.755{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000098871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.754{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000098870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.753{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.753{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.752{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x800000000000000098867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.752{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.751{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.751{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000098864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.748{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000098863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.748{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000098862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.748{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000098861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.747{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000098860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.747{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000098859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.747{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000098858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.746{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000098857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.745{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 18141800x800000000000000098856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.742{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-27C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.742{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-27C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.741{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000098853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.741{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000098852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.740{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 10341000x800000000000000098851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.740{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.740{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.740{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000098848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.740{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000098847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.738{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000098846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.736{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000098845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.736{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000098844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.736{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000098843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.735{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000098842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.735{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000098841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.730{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-26C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.730{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-26C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.729{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000098838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.728{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000098837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.728{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000098836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.728{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.727{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000098834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.726{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000098833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.725{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 18141800x800000000000000098832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.725{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10439379319615345396C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.725{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10439379319615345396C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000098830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.724{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000098829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.724{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.31.53848172C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000098828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.720{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000098827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.720{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.715{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000098825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.715{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x800000000000000098824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.714{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.714{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.714{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.714{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.713{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000098819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.713{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000098818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.713{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.712{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000098816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.712{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000098815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.712{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 18141800x800000000000000098814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.712{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.2490039212426430413C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000098813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.712{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.2490039212426430413C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.711{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000098811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.711{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000098810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.711{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x800000000000000098809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.710{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000098808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.710{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.30.196444288C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.709{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000098806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.709{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.708{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000098804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.708{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.708{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.707{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000098801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.707{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000098800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.705{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x800000000000000098799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.705{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000098798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:01.705{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.704{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.704{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.704{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.703{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000098793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.702{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.702{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000098791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.701{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000098790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.700{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000098789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.700{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000098788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.700{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000098787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.699{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000098786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.699{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000098785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.699{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000098784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.699{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000098783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.699{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000098782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.699{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000098781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.698{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000098780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.698{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000098779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.698{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000098778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.697{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000098777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.697{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.697{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000098775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.697{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000098774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.696{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000098773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.696{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000098772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.696{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000098771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.695{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 10341000x800000000000000098770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.695{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000098769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.695{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000098768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.694{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000098767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.694{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.694{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000098765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.694{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000098764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.693{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000098763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.693{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000098762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.693{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000098761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.693{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000098760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.691{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000098759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.690{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000098758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.690{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000098757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.690{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000098756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.690{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.689{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.689{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000098753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.689{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.689{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.689{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.689{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.689{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.31.538481727\1377253118" -childID 28 -isForBrowser -prefsHandle 7588 -prefMapHandle 7760 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adad6641-b618-415c-a476-373cfa67424c} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 6992 17940ed2758 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000098748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.688{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000098747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.688{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x800000000000000098746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.688{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.688{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.687{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.687{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.687{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.687{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.687{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.687{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.686{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.686{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000098736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.686{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.686{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.686{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.686{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.686{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.686{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x800000000000000098730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.685{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.685{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.685{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x800000000000000098727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.685{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.685{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.685{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.685{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000098723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.685{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.684{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.684{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x800000000000000098720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.684{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.684{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.684{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.684{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.684{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 10341000x800000000000000098715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.683{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000098714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.683{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000098713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.682{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 17141700x800000000000000098712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.682{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.31.53848172C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000098711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.681{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000098710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.681{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000098709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.681{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000098708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.680{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000098707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.680{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.675{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.675{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.674{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.674{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.674{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.674{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.675{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.30.1964442881\1981822313" -childID 27 -isForBrowser -prefsHandle 6560 -prefMapHandle 6568 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8028429-abeb-43cf-a569-a71cf0321860} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 6112 17940ed2158 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000098699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.673{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.673{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.673{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.672{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.672{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.672{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.672{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.672{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.672{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.671{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.671{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.671{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.671{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.671{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.671{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.671{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.670{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.670{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.670{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.670{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.670{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.670{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.669{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.669{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.669{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.669{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000098673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:01.667{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.30.196444288C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000098672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.583{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\086D5D6D1986173C991E4F654718FEE72B51D6762023-01-17 10:36:01.583 354300x800000000000000098671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.306{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55126- 354300x800000000000000098670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.305{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50082- 354300x800000000000000098669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.305{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54161- 354300x800000000000000098668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.303{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64578- 354300x800000000000000098667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.302{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62841- 354300x800000000000000098666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.302{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53379- 354300x800000000000000098665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.301{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55901- 11241100x800000000000000098664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.447{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D3313FE0CF3162344DA948312AEC3B8F3BDC5A42023-01-17 10:36:01.446 11241100x800000000000000098663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.327{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AD1BE41015F4373F3995E638617B01D0CB4B7E252023-01-17 10:36:01.326 11241100x800000000000000098662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.279{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000098661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.279{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421973CBEDA81DF4BCADC9468F83DD84,SHA256=E859B0C05B06C6A247A3E8704CE49C7B3D7F2A410C0BD8BBE9D5ED614A21DE18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000098660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.260{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5A34A5ECBA5385D4D5EF79C1762FF5D7D93020C32023-01-17 10:36:01.260 354300x800000000000000070006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:35:59.744{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50380-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 22542200x800000000000000098659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.175{F172AD64-7935-63C6-6402-00000000B002}2296ads.pro-market.net0type: 5 ads.pro-market.net.akamaized.net;type: 5 a1944.d.akamai.net;::ffff:23.33.22.153;::ffff:23.33.22.148;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000098658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.097{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3EAE47EEDA35BCE1C9207E4E0CD720CC7E466A5D2023-01-17 10:36:01.096 354300x800000000000000070008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:00.121{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000099068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.910{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\187663ACA9E5B172EA263B4C7BA5E071198459642023-01-17 10:36:02.909 11241100x800000000000000099067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.890{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2C6DE2808DAF6C137EA1E2D3F4C9041B637209E22023-01-17 10:35:27.142 11241100x800000000000000099066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.889{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1C3FD5074FF7DE0359BFACA1EAE91FFC4BB0019B2023-01-17 10:36:02.889 10341000x800000000000000099065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.882{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+972331|C:\Program Files\Mozilla Firefox\xul.dll+970f9d|C:\Program Files\Mozilla Firefox\xul.dll+970021|C:\Program Files\Mozilla Firefox\xul.dll+97b4db|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+81ff7f|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8 11241100x800000000000000099064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\54AA731ABCD14B70451F5ABCEF1B9ADB210BC21A2023-01-17 10:36:02.834 354300x800000000000000099063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.895{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49777-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x800000000000000099062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.836{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54993- 11241100x800000000000000099061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.775{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000099060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.775{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=942E3DB8C98682C0647226CF1C55B7E5,SHA256=CFACE6B0EBEBFF4A716EFB3FFE401717B1BAF11B8B9265F56D4250C0E71F7D16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.767{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BFC239390D73CE952C21C783E9975EC316436E9B2023-01-17 10:35:25.557 11241100x800000000000000099058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.708{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\487A34AE3BC924581261C218AD7D8243CC385AD02023-01-17 10:36:02.707 11241100x800000000000000099057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.676{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000018.db2023-01-17 10:36:02.676 11241100x800000000000000099056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.675{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A70981311B49A7B775F9DCDFF68B36B5869DBC312023-01-17 10:36:02.675 11241100x800000000000000099055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.660{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1FE86E05B525A52EDB5E4F5A4C64DDA75AB3CBB52023-01-17 10:36:02.660 11241100x800000000000000099054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.652{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000099053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.652{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7261ADAC0FEB903B3005C11FAF147BD4,SHA256=ABA6E687A1B3387F5DD77ED938662B78E44AE3D24F28160C54C011FC18C7B745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.548{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.548{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.548{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.548{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.548{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.547{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000099046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.469{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49427- 354300x800000000000000099045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.469{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54686- 354300x800000000000000099044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:35:59.982{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49776-false216.105.38.9-443https 11241100x800000000000000099043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.534{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FBFF4695C8E9D60D1322A4ED2E0A33E74786790F2023-01-17 10:36:02.533 11241100x800000000000000099042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.383{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B10BF0430EA0249FE9E96270F13B86598FE23A72023-01-17 10:36:02.383 10341000x800000000000000099041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.349{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.349{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.349{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.348{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.340{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.340{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000099035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.330{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.329{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E917FD4DC6DB5557BF943312A474BD50,SHA256=9BD3FEB311BFE7FF3EA260297D7A695503A65685164CDF2131642D3CF1C90EB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.323{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.323{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.323{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.322{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.322{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.322{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000099027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.318{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.318{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BEEBFB99224A4A848E5FB4FF697FC9,SHA256=70F5CC8D177B0AF8ABA30A448E3596B24DEAD0FCD9733AC3428366C15D255252,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.309{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.308{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D378D2984B8454D33D539F4D8BC7351,SHA256=CCF46BDF9911377C90A816425787FFECBC9235BEFF3F2C0D78AB4E8A6F15FD64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.308{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F77DED4B065A57C737608D31E1BEB848ABD5F0072023-01-17 10:36:02.308 10341000x800000000000000099022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.273{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000099021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.221{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\68F8F16DA2B630F9ADBCE40EA6D5CFC2F8F5D8282023-01-17 10:36:02.221 10341000x800000000000000099020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.217{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000099008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.181{F172AD64-7935-63C6-6402-00000000B002}2296prod.ups-ats.us-east-1.aolp-ds-prd.aws.oath.cloud052.45.33.138;3.218.90.66;54.175.87.114;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:00.177{F172AD64-7935-63C6-6402-00000000B002}2296dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com054.237.134.210;18.213.53.43;52.54.121.23;34.202.6.86;54.227.225.148;54.243.208.209;3.213.8.144;54.167.225.48;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000099006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.100{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE06AF810C80ECA921692C05F177A40F8DDD0C152023-01-17 10:36:02.100 11241100x800000000000000099005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.065{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5C0AB2BF9FD37602746D9CF5E693BA210E32F46E2023-01-17 10:36:02.065 11241100x800000000000000099004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.053{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\79FF98091A8575DD985069880697E5BC4B2B20942023-01-17 10:36:02.052 23542300x800000000000000070009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:03.256{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1419C75B672C98F0FA54FB531A604253,SHA256=41148ED4AA376BEB571F4D11ACCC6C68BB35696B63A85746A1102E80AD267AA7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000099253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.999{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000099252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.998{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000099251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.998{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.998{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.998{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.997{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000099247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.997{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.997{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 10341000x800000000000000099245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.996{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.996{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000099243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.996{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000099242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.995{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000099241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.995{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000099240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.995{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000099239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.994{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 18141800x800000000000000099238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:03.994{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.7720170317180070435C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.994{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 17141700x800000000000000099236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:03.994{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.7720170317180070435C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.994{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.993{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 10341000x800000000000000099233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.993{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.993{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 18141800x800000000000000099231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:03.993{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.33.31026737C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.993{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.992{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000099228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.992{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000099227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.991{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000099226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.990{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.989{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.989{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000099223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.989{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.989{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 18141800x800000000000000099221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:03.989{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.987{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.987{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.985{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000099217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.985{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000099216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.984{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000099215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.984{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000099214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.984{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000099213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.984{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000099212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.983{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000099211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.983{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.983{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000099209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.983{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.983{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.983{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.982{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000099205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.982{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.982{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000099203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.981{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000099202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.981{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000099201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.981{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000099200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.981{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000099199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.980{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x800000000000000099198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.980{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000099197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.980{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.980{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000099195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.980{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.979{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000099193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.979{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.978{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000099191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.978{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.978{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.977{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000099188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.977{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000099187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.976{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000099186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.975{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 10341000x800000000000000099185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.975{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.975{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.975{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x800000000000000099182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.974{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.974{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000099180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.974{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.974{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000099178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.974{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000099177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.974{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.974{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.34.2060737265\35334453" -childID 31 -isForBrowser -prefsHandle 8184 -prefMapHandle 6980 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e73cb949-3cd3-47b0-8cfd-70c011f8d5dd} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7172 179415e7258 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x800000000000000099175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.973{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x800000000000000099174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.973{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.973{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.973{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x800000000000000099171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.973{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.972{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.972{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.972{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.972{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.972{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.972{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.971{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x800000000000000099158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.971{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x800000000000000099153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x800000000000000099149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.970{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.969{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.969{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x800000000000000099145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.969{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.969{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.969{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000099142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.968{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000099141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.967{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 17141700x800000000000000099140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:03.966{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.34.206073726C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.966{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000099138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.966{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000099137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.965{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000099136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.965{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.965{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000099134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.965{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000099133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:03.962{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{dc864547-85dc-49af-9cbb-9e0c99a403b3}\Root\InventoryApplicationFile\svchost.exe|4afb8768d76507e8\BinProductVersion0.0.0.0 13241300x800000000000000099132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:03.962{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{dc864547-85dc-49af-9cbb-9e0c99a403b3}\Root\InventoryApplicationFile\svchost.exe|4afb8768d76507e8\LinkDate11/20/2022 00:41:50 13241300x800000000000000099131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:03.962{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{dc864547-85dc-49af-9cbb-9e0c99a403b3}\Root\InventoryApplicationFile\svchost.exe|4afb8768d76507e8\Publisher(Empty) 13241300x800000000000000099130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:03.962{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{dc864547-85dc-49af-9cbb-9e0c99a403b3}\Root\InventoryApplicationFile\svchost.exe|4afb8768d76507e8\LowerCaseLongPathc:\temp\svchost.exe 734700x800000000000000099129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.960{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 10341000x800000000000000099128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.960{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.960{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.960{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DD,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000099125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.959{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.959{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.959{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.959{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.958{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.33.310267374\448437462" -childID 30 -isForBrowser -prefsHandle 7240 -prefMapHandle 6076 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48c704ca-2bb4-46d9-8e75-0bc7726b7af9} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 6152 179415e5758 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000099120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.957{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.957{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.957{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.957{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.957{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.957{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.957{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.957{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.956{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.956{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.956{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.956{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.956{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.955{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.955{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.955{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.955{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.954{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.954{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.954{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.953{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.953{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.953{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.952{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.952{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.952{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000099094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:03.950{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.33.31026737C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.947{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000099092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.924{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=A0F1500393A5A2AE256507811E2C4EB8,SHA256=3E79304BAA358B36BECAF107178C50F25104C3BDB2A4448AFD967DEC050A724F,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 13241300x800000000000000099091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDBSetValue2023-01-17 10:36:03.920{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\svchost.exeBinary Data 354300x800000000000000099090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.864{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49778-false52.55.144.0ec2-52-55-144-0.compute-1.amazonaws.com443https 11241100x800000000000000099089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.754{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1A1714BF398492918D90C6B9C9104A1190853D5C2023-01-17 10:36:03.754 10341000x800000000000000099088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.746{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.746{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.746{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.745{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.745{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.745{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.743{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.743{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.743{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x800000000000000099079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.717{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\65277BB51179A32E9E26C9307C0C046163515CB92023-01-17 10:36:03.717 10341000x800000000000000099078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.653{F172AD64-6CE8-63C6-0D00-00000000B002}8927048C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:01.392{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50123- 11241100x800000000000000099076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.366{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.366{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CFD44EF61A513F858E00C6863873BD,SHA256=9FC45D918815A5C8BADE2B7F7CB10159581E94140C144DEE12F7DDCFE4040588,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.182{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\34898519BB64A37E050197B9A428919C7105A5582023-01-17 10:36:03.181 11241100x800000000000000099073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.118{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1A86C392FAEC51148846521AE0D3120FE7B7967D2023-01-17 10:36:03.118 734700x800000000000000099072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.117{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.5127Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=949437310EC0EB86F6B5985189C513C8,SHA256=A3751817F2212BFA84BC21D22B06DDEC1B64DD54C532F5902AED9BDD934C99DA,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 11241100x800000000000000099071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.107{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E744175CDB0B6D35F0C53F7CF485DA62F5DA5B582023-01-17 10:36:03.107 23542300x800000000000000099070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.065{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.dbMD5=78EE59AE432C3BBCAE7FEEEEDA4DAAEF,SHA256=EDB3C44F5158B34D452F7237C65BC36BCEA195ECAE4FFB7737E164ECCE3435EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:03.013{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+97c315|C:\Program Files\Mozilla Firefox\xul.dll+97b599|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+820087|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e 23542300x800000000000000070010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:04.340{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDE628BA552587C83B4DA9AAFDB2CCD,SHA256=A7888354E782D3F656C02B137F206EBF0795A3C9529F8BB7AA6160FAD0487703,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.856{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\106D373597301A75A0EBBB7AA596E5DC1BBAE1BB2023-01-17 10:36:04.856 10341000x800000000000000099349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.838{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.838{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.838{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.837{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.837{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.837{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e94a87|C:\Program Files\Mozilla Firefox\xul.dll+83b75a|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.833{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.833{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.832{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.830{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.830{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.830{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.830{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.736{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.736{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.736{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.735{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.735{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.735{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.716{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.716{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.716{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.715{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.715{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.715{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.681{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.670{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.670{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:02.263{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49779-false10.0.1.12-8000- 11241100x800000000000000099320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.433{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.433{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0C399022CAD62658CE501E7DD716EA,SHA256=21315DE5A1A26B0D0E0E07FFF574BEF6F6D49D55B12336491C25FF12E4B033CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.396{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.396{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B774E6326C9D174E273986C1018125,SHA256=8E65A62E2DEF5539790A4576ADF4E4899B93C009C0E2203C5C6B2D50E42A1415,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.353{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:36:04.353 10341000x800000000000000099315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.047{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000099306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.046{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000099305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.044{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.043{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.040{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000099302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.038{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000099301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.037{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000099300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.035{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000099299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.034{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.034{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.033{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000099296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.033{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000099295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.032{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x800000000000000099294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.032{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000099293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.030{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000099292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.030{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x800000000000000099291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.030{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.030{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000099289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.029{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000099288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.029{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000099287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.029{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.026{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 18141800x800000000000000099285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:04.026{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-30C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000099284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:04.025{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-30C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.024{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000099282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.024{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000099281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.024{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000099280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.023{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000099279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.023{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x800000000000000099278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.021{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000099277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.020{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.020{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.019{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000099274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.018{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000099273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.016{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000099272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.016{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000099271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.016{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000099270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.015{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000099269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.015{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000099268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.011{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000099267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:04.011{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-29C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000099266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:04.011{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-29C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.010{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000099264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.009{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000099263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.009{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x800000000000000099262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.009{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000099261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.009{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 18141800x800000000000000099260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:04.008{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10697191835669291301C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000099259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:04.008{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.10697191835669291301C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.008{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000099257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.007{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000099256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:04.007{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.34.206073726C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000099255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.004{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000099254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:04.003{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000099373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.967{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.967{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.967{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.965{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.965{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.965{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.853{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e8e011|C:\Program Files\Mozilla Firefox\xul.dll+e7c51d|C:\Program Files\Mozilla Firefox\xul.dll+4413b01|C:\Program Files\Mozilla Firefox\xul.dll+24aa168|C:\Program Files\Mozilla Firefox\xul.dll+9af9c0|C:\Program Files\Mozilla Firefox\xul.dll+964491|C:\Program Files\Mozilla Firefox\xul.dll+1774eb|C:\Program Files\Mozilla Firefox\xul.dll+9b3415|C:\Program Files\Mozilla Firefox\xul.dll+96f14a|C:\Program Files\Mozilla Firefox\xul.dll+97c315|C:\Program Files\Mozilla Firefox\xul.dll+97b599|C:\Program Files\Mozilla Firefox\xul.dll+8a4b6d|C:\Program Files\Mozilla Firefox\xul.dll+820087|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8e66a|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab54a9|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e 11241100x800000000000000099366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.484{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.483{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C713D569CA4CFB7C4AAC5984791D34,SHA256=6A839371156A682E2CCFB5FED586D4A972149427168DD0BB2FDA6F67C87FBDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:05.434{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09876E4ADE43717AE03F499B18D171D,SHA256=716AAD8C6D6D8FB9E2BA8313675692E038BE555BC0C24BB70945A4C6FF1E9043,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.200{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2353368B6A6ADFDE0E5D922F8234F7BD98F730DE2023-01-17 10:36:05.200 11241100x800000000000000099363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.200{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\97BD1C7F6F47D894A58E5F34278E6FECDCB8FF7C2023-01-17 10:35:28.486 11241100x800000000000000099362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.199{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E37F93B4D9AF832991DE07529F18224C81C1D15B2023-01-17 10:35:25.516 11241100x800000000000000099361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.199{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\517CA0332064F4344FC1DB0F08D243076B48341E2023-01-17 10:35:28.486 11241100x800000000000000099360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.197{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0802EEA194471BDF9C6D9B034D42A27600E6D12C2023-01-17 10:35:28.486 11241100x800000000000000099359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.197{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7607855AE6CE02B59EA343C76ACB6D4BC4FD05142023-01-17 10:36:05.196 11241100x800000000000000099358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.196{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0CF0600704C38370284AD73D04989C4BB2EA6B102023-01-17 10:36:05.196 11241100x800000000000000099357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.196{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5EDA09B27C3D310447BF98A1C46F65B7B4EDF5B2023-01-17 10:36:05.196 23542300x800000000000000099356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.195{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\19315MD5=11E93EBB3716602116EDE63714AA911B,SHA256=5590FC3B06B879BE377C918FC1D9194B33A0AA6AAF76CEB5B9FB8E9A485463D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.194{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\14018MD5=CCD012C51B1676533B8E6BA55FCA627C,SHA256=D5A361384947CCF118EEDC11823B4F5700C598AD41E729FE952D6A6805E109E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.193{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\14130MD5=B3296DEE009384E730C4047A9F675AB4,SHA256=C653B644D044A4B8709898A5D821FA62C12A52973F45D94C576338C928DBA7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.192{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\7487MD5=9BA39781053ED5AF69F225755A77D571,SHA256=846E510A23A3536B5BA5B27603E7D551DCB5CCE089143291DDB168E97D8409FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.192{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\7711MD5=D4D392EA6D1702E6F9CD483D95B28C7C,SHA256=9BA1C3A82328AD19462400FEEA3543CA2BB2766DE8110ED285FA97C3B08AC89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.191{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\27417MD5=8563A93AD2B768E4EACD307ED005F0B6,SHA256=9A9951643D9A625EEC54D02E581F06CD4BE1CAB4C2EA81358F5ACF120E1B6C7C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000099510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-SetValue2023-01-17 10:36:06.998{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92a5f-0x81ace116) 734700x800000000000000099509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.939{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll108.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=387E855298C1C428915111AFD51A524D,SHA256=5DA348C1174B780FD488C6480A4A69A3B1366E48C896FF50B8602438E7CB08FA,IMPHASH=75F898D338DB4536FF1C827A8DB09FE1trueMozilla CorporationValid 734700x800000000000000099508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.938{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll108.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=0FE4B5FC61DF94790CE6938370CF9A5D,SHA256=FCAA2F9575993044E7E650009AD0C158502F92CD0178B81BC01437C6BF214D3D,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x800000000000000099507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.935{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.934{F172AD64-6CE8-63C6-1100-00000000B002}6121604C:\Windows\system32\svchost.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.931{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x800000000000000099504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.929{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x800000000000000099503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.928{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x800000000000000099502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.925{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000099501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.924{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.924{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.924{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000099498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.922{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000099497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.921{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000099496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.920{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000099495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.920{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000099494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.920{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000099493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.919{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x800000000000000099492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:06.915{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-31C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000099491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:06.915{F172AD64-7935-63C6-6402-00000000B002}2296\LOCAL\cubeb-pipe-2296-31C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.913{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000099489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.913{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x800000000000000099488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.913{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x800000000000000099487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.900{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.898{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000099485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.897{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x800000000000000099484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:06.896{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.17432754114651311369C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000099483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:06.896{F172AD64-7935-63C6-6402-00000000B002}2296\gecko.2296.7140.17432754114651311369C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.896{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000099481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.895{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1aac5c5|C:\Program Files\Mozilla Firefox\xul.dll+1aa9cf7|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000099480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:06.895{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.35.207800213C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000099479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.891{F172AD64-7935-63C6-6402-00000000B002}22964436C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10d3ab|C:\Program Files\Mozilla Firefox\xul.dll+1310400|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000099478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-ConnectPipe2023-01-17 10:36:06.891{F172AD64-7935-63C6-6402-00000000B002}2296\gecko-crash-server-pipe.2296C:\Program Files\Mozilla Firefox\firefox.exe 734700x800000000000000099477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.886{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000099476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.885{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000099475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.885{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.885{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.884{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.884{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000099471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.884{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.883{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x800000000000000099469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.883{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000099468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.883{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll108.0.2-FirefoxMozilla Foundationxul.dllMD5=FD07CB31FD65C25D6A3335A3AA4E8811,SHA256=44F45500D6BB8109A2C04B2CEEA52BDDD4D674F19A738AF7353646385A197C35,IMPHASH=F653DF98869018D5175A681E17FBCEFFtrueMozilla CorporationValid 734700x800000000000000099467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.882{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll108.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=BB22FAFE431464B288B806B18C50937D,SHA256=BBC1C44171245BF9FDAF6B263098340D7618B692C404D2348D417422593FBED9,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x800000000000000099466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.881{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x800000000000000099465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.880{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.880{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000099463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.880{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.880{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.879{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000099460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.879{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll108.0.2-FirefoxMozilla Foundationnss3.dllMD5=072B20F48BE6A8E390834F972F534452,SHA256=1C41AAAD6891F7C3E4AD96A39E6063F8B76B8C20F226908767EF6B9F2C12219E,IMPHASH=2A6EC6346A087B3F49C313A4ADB79923trueMozilla CorporationValid 734700x800000000000000099459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.877{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000099458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.877{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.876{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.876{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.876{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.875{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.874{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.873{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x800000000000000099451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.872{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x800000000000000099450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.872{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x800000000000000099449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.871{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000099448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.871{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000099447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.870{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll108.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D660BEE36D7D5EBFF5BF7FFB0FEC5370,SHA256=4A74636A829CF01670BA66C906E9FA7188D159A15F252BA5DA8C0BCBAE5789EE,IMPHASH=897806576B271A7C0F1D2A68497F38B7trueMozilla CorporationValid 734700x800000000000000099446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.870{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.869{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000099444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.868{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000099443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.867{F172AD64-7935-63C6-6402-00000000B002}22965620C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26a66|C:\Program Files\Mozilla Firefox\xul.dll+e94587|C:\Program Files\Mozilla Firefox\xul.dll+e8e179|C:\Program Files\Mozilla Firefox\xul.dll+e7eaad|C:\Program Files\Mozilla Firefox\xul.dll+e8d132|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+1a8cb67|C:\Program Files\Mozilla Firefox\xul.dll+1a8bf95|C:\Program Files\Mozilla Firefox\xul.dll+1a8ea22|C:\Program Files\Mozilla Firefox\xul.dll+17f11f8|C:\Program Files\Mozilla Firefox\xul.dll+1ab557b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+177078|C:\Program Files\Mozilla Firefox\xul.dll+175ef7|C:\Program Files\Mozilla Firefox\xul.dll+4623251|C:\Program Files\Mozilla Firefox\xul.dll+469557c|C:\Program Files\Mozilla Firefox\xul.dll+469638d|C:\Program Files\Mozilla Firefox\xul.dll+20140e2|C:\Program Files\Mozilla Firefox\firefox.exe+1e8ee|C:\Program Files\Mozilla Firefox\firefox.exe+2c7a8|C:\Windows\System32\KERNEL32.DLL+84d4 734700x800000000000000099442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.867{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.867{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125trueMozilla CorporationValid 10341000x800000000000000099440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.867{F172AD64-7935-63C6-6402-00000000B002}22967140C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f2b6a|C:\Program Files\Mozilla Firefox\xul.dll+ee694|C:\Program Files\Mozilla Firefox\xul.dll+2536826|C:\Program Files\Mozilla Firefox\xul.dll+1aa9ebd|C:\Program Files\Mozilla Firefox\xul.dll+126e5|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+12217|C:\Program Files\Mozilla Firefox\xul.dll+9d8401|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.861{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.861{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.861{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.861{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.861{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.861{F172AD64-7935-63C6-6402-00000000B002}22965056C:\Program Files\Mozilla Firefox\firefox.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+a7d2|C:\Program Files\Mozilla Firefox\firefox.exe+61d3|C:\Program Files\Mozilla Firefox\xul.dll+7b041e|C:\Program Files\Mozilla Firefox\xul.dll+9edd74|C:\Program Files\Mozilla Firefox\xul.dll+9ebd55|C:\Program Files\Mozilla Firefox\xul.dll+9f3ade|C:\Program Files\Mozilla Firefox\xul.dll+839603|C:\Program Files\Mozilla Firefox\xul.dll+17f1aa8|C:\Program Files\Mozilla Firefox\xul.dll+17dd53b|C:\Program Files\Mozilla Firefox\xul.dll+9dba5f|C:\Program Files\Mozilla Firefox\xul.dll+1f54e|C:\Program Files\Mozilla Firefox\xul.dll+83d757|C:\Program Files\Mozilla Firefox\nss3.dll+744bc|C:\Program Files\Mozilla Firefox\nss3.dll+89241|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e8a8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.861{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe108.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2296.35.2078002130\1354547190" -childID 32 -isForBrowser -prefsHandle 6104 -prefMapHandle 7172 -prefsLen 30609 -prefMapSize 230565 -jsInitHandle 1084 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fa78c83-8238-428d-9eb3-7e67368143ed} 2296 "\\.\pipe\gecko-crash-server-pipe.2296" 7768 17940c18f58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2LowMD5=9CF0EC9A0071CD7DBE5A1FCE0C542B22,SHA256=701D0AE1DAE554E044C7B1EA66B77641299584AEDBA427C4567B7273E45F59AD,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000099432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.860{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.860{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.860{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.860{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.859{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.859{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.859{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.859{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.859{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.858{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.858{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.858{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.858{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.858{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.858{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.857{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.857{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.857{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.857{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.857{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.857{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.856{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.856{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.856{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.856{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.856{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000099406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-CreatePipe2023-01-17 10:36:06.854{F172AD64-7935-63C6-6402-00000000B002}2296\chrome.2296.35.207800213C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.048{F172AD64-7935-63C6-6402-00000000B002}2296e9126.x.akamaiedge.net023.32.229.33;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.047{F172AD64-7935-63C6-6402-00000000B002}2296stags.bluekai.com0type: 5 tags.bluekai.com.edgekey.net;type: 5 e9126.x.akamaiedge.net;::ffff:23.32.229.33;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.036{F172AD64-7935-63C6-6402-00000000B002}2296pippio.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.035{F172AD64-7935-63C6-6402-00000000B002}2296pippio.com0107.178.254.65;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.034{F172AD64-7935-63C6-6402-00000000B002}2296pippio.com0::ffff:107.178.254.65;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.852{F172AD64-7935-63C6-6402-00000000B002}2296zemanta-nychi.zemanta.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.849{F172AD64-7935-63C6-6402-00000000B002}2296zemanta-nychi.zemanta.com070.42.32.223;70.42.32.127;50.31.142.159;70.42.32.191;64.74.236.223;64.202.112.191;50.31.142.63;64.202.112.159;50.31.142.223;50.31.142.31;64.74.236.95;50.31.142.191;70.42.32.255;64.74.236.191;50.31.142.95;50.31.142.255;50.31.142.127;64.74.236.31;70.42.32.159;64.74.236.159;64.202.112.223;70.42.32.63;64.202.112.255;64.202.112.127;64.74.236.63;64.74.236.127;64.202.112.95;70.42.32.95;70.42.32.31;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.847{F172AD64-7935-63C6-6402-00000000B002}2296b1sync.zemanta.com0type: 5 zemanta-nychi.zemanta.com;::ffff:64.202.112.63;::ffff:70.42.32.223;::ffff:70.42.32.127;::ffff:50.31.142.159;::ffff:70.42.32.191;::ffff:64.74.236.223;::ffff:64.202.112.191;::ffff:50.31.142.63;::ffff:64.202.112.159;::ffff:50.31.142.223;::ffff:50.31.142.31;::ffff:64.74.236.95;::ffff:50.31.142.191;::ffff:70.42.32.255;::ffff:64.74.236.191;::ffff:50.31.142.95;::ffff:50.31.142.255;::ffff:50.31.142.127;::ffff:64.74.236.31;::ffff:70.42.32.159;::ffff:64.74.236.159;::ffff:64.202.112.223;::ffff:70.42.32.63;::ffff:64.202.112.255;::ffff:64.202.112.127;::ffff:64.74.236.63;::ffff:64.74.236.127;::ffff:64.202.112.95;::ffff:70.42.32.95;::ffff:70.42.32.31;::ffff:64.74.236.255;::ffff:64.202.112.31;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.845{F172AD64-7935-63C6-6402-00000000B002}2296sid.storygize.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.845{F172AD64-7935-63C6-6402-00000000B002}2296cs.admanmedia.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.843{F172AD64-7935-63C6-6402-00000000B002}2296sid.storygize.net052.36.128.250;35.166.20.234;35.161.243.19;54.69.145.252;54.185.138.62;52.40.71.232;34.214.58.41;54.148.85.76;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.843{F172AD64-7935-63C6-6402-00000000B002}2296cs.admanmedia.com080.77.87.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.842{F172AD64-7935-63C6-6402-00000000B002}2296sid.storygize.net0::ffff:54.148.85.76;::ffff:52.36.128.250;::ffff:35.166.20.234;::ffff:35.161.243.19;::ffff:54.69.145.252;::ffff:54.185.138.62;::ffff:52.40.71.232;::ffff:34.214.58.41;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000099392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.842{F172AD64-7935-63C6-6402-00000000B002}2296cs.admanmedia.com0::ffff:80.77.87.162;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000099391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.585{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.585{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CA7BA0FE40A81D491A2FB255AC7267,SHA256=83AE08F2C60CB9CCBD8866D4A0EB5D479A73C073AD54F1BD2A3D68A9F5A23C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.453{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journalMD5=00C320AE2A935DB25B9FE3BA108D0848,SHA256=450DF2AB384138F75A804BC4E5954F070831141C8355C2E8D2DA16DC398BBD19,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.446{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\usage2023-01-17 10:35:30.057 23542300x800000000000000099387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.446{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\usageMD5=1B9DE7FDF912FF7B99FFA6CAA2ABFAF3,SHA256=7694D7F81089C724F091A576F25C41B36FCB3BE750DC1DD07D5E53E9CC9BC758,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\usage-journal2023-01-17 10:36:06.445 11241100x800000000000000099385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.443{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\default\https+++sourceforge.net\ls\data.sqlite-journal2023-01-17 10:36:06.443 11241100x800000000000000099384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.346{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BF52C77FCC25C3AA5021DBFFF6754AD33B534EEA2023-01-17 10:36:06.346 11241100x800000000000000099383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.193{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\41CC62319E15E4BF855910F98B244E286B0C1C5E2023-01-17 10:36:06.193 11241100x800000000000000099382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.126{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5C537D824A7871C8F41A0FC7FDB28849B37D9572023-01-17 10:36:06.125 11241100x800000000000000099381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.035{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\26992A2B64DCAA9F993AB5EA558605A9C5E3199C2023-01-17 10:36:06.035 10341000x800000000000000099380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.029{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.029{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.029{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.025{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.025{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.025{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.025{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:06.503{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729431A4E0B87243337FBA1D19AEEE7E,SHA256=CEDD784FA3BB8F85B728FE69F504A5EB964D0039516E519806A935BBFE95E615,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:06.140{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50382-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:07.591{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C7C44322C64DF2B29D5E09F622ADBF,SHA256=1CABD388F6D3EF27599CEA7B51E5E0968A7D23AB4CDE256DB9318B9CE886F2C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.897{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.897{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.897{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.896{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.896{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.896{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 22542200x800000000000000099549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.050{F172AD64-7935-63C6-6402-00000000B002}2296e9126.x.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000099548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.738{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.737{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.379{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local62814-false142.250.190.130ord37s36-in-f2.1e100.net443https 354300x800000000000000099545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.297{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64562-false142.250.190.130ord37s36-in-f2.1e100.net443https 354300x800000000000000099544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.281{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62813- 354300x800000000000000099543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.280{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49563- 354300x800000000000000099542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.277{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local61106-false107.178.254.65-443https 354300x800000000000000099541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.194{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64561-false44.199.177.143ec2-44-199-177-143.compute-1.amazonaws.com443https 354300x800000000000000099540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.189{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64560-false23.32.229.33a23-32-229-33.deploy.static.akamaitechnologies.com443https 354300x800000000000000099539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.177{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64082- 354300x800000000000000099538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.176{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62366- 354300x800000000000000099537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.176{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52065- 354300x800000000000000099536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.175{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49946- 354300x800000000000000099535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.175{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64559-false107.178.254.65-443https 354300x800000000000000099534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.173{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54536- 354300x800000000000000099533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.163{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64236- 354300x800000000000000099532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.162{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53941- 10341000x800000000000000099531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.129{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64556-false54.148.85.76ec2-54-148-85-76.us-west-2.compute.amazonaws.com443https 354300x800000000000000099526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.098{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64558-false64.202.112.63ny.outbrain.com443https 354300x800000000000000099525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.092{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64557-false3.218.90.66ec2-3-218-90-66.compute-1.amazonaws.com443https 354300x800000000000000099524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.023{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49423- 354300x800000000000000099523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local49780-false80.77.87.162-443https 354300x800000000000000099522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.977{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55152- 354300x800000000000000099521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.974{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64555-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domain 354300x800000000000000099520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.974{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64555-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domain 354300x800000000000000099519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.972{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61523- 354300x800000000000000099518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.971{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54641- 354300x800000000000000099517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.971{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61414- 354300x800000000000000099516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.971{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54798- 354300x800000000000000099515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:04.969{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65321- 11241100x800000000000000099514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.024{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.024{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF42F19F4608FF1705B65574CE6FB67F,SHA256=3A409B1AEE2E688B38A68B36DFE95F228C8A0EC4D8B16C57E4BA9674CD6DBCE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.004{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.003{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EA5A98B0CB919CFA2B8ADAA5949646,SHA256=76B5E6E47450152ABCFF226F8C522B5EA0D91C3BCAC30251A665B9C278029624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:08.901{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E6B93BFB15C9C14EE9D4261F1172BB,SHA256=8E2571BDDE49C4240895EA8A609E2A47D3963AC946A51BABFBA05CDB97552216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.870{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.870{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.870{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 734700x800000000000000099590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.582{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 354300x800000000000000099589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.556{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61872- 354300x800000000000000099588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.556{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local56064- 354300x800000000000000099587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:05.556{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55613- 734700x800000000000000099586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.438{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56,IMPHASH=239D379DAEC05CA48775D7DD3AA4BFCAtrueMicrosoft WindowsValid 734700x800000000000000099585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.437{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x800000000000000099584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.434{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x800000000000000099583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.432{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4,IMPHASH=D74AB287506D6E20949755E75302AD32trueMicrosoft WindowsValid 734700x800000000000000099582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.406{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\schannel.dll10.0.14393.5429 (rs1_release_inmarket.221012-1839)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=BA127C2DE77B5CD50F132FC072E195BB,SHA256=D849A9899E3F4904620539E5B5871EE5AA098FB9A208AF5258D7A7344054087C,IMPHASH=D9603397C5B04530FFA0321E70FF2308trueMicrosoft WindowsValid 10341000x800000000000000099581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.173{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.169{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.164{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.161{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.160{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.154{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.150{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.148{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.146{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.141{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.130{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.126{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.119{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.112{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.104{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.078{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.067{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.060{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.053{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.045{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x800000000000000099561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.043{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 11241100x800000000000000099560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.042{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x800000000000000099559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.042{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AA46F42626A2FCCF337FD1CF1D8B28,SHA256=D76E2FCA0B60A1457B57EF793B1C873A72FBD0478AC13D3416EB0630EF7DF7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.042{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917AB91E9E737EADC846C917162C0AA4,SHA256=5148D08B7195C1C5DCF2703CFD1BFB733B5241447F5B163294E4146E62111DC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.009{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.005{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x800000000000000070016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:09.993{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C17E292920250E23E106D578777FAF,SHA256=3857738115E3770A558F3A9497E3A124E950DE37A479886D8B6A96571D58EF1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.980{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.980{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD03917E27698AA81ED381A73DB4D2D0,SHA256=4E7F618523C7CC4988BCC066A747F955AE1A210B14CA86F12453038FD697C858,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.519{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64565-false104.18.10.128-443https 354300x800000000000000099607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.495{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64564-false104.18.10.128-80http 354300x800000000000000099606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.461{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64636- 354300x800000000000000099605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.298{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64563-false10.0.1.12-8000- 354300x800000000000000099604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.628{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61108- 354300x800000000000000099603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.628{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52295- 354300x800000000000000099602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.628{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local61107- 354300x800000000000000099601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:06.081{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local123ntpfalse168.61.215.74-123ntp 10341000x800000000000000099600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.359{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.359{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.359{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.261{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.260{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000099595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.061{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:09.060{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8017AF659CC4AEC8D8E5CFE3969696F,SHA256=783140A0B3E45FE40A3E33C63E413C891672B0635785E9D17A993A15DEDAD64D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000099681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.988{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 734700x800000000000000099680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.959{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.953{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.939{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 10341000x800000000000000099677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.922{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.914{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x800000000000000099675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.914{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x800000000000000099674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.909{F172AD64-79B2-63C6-8A02-00000000B002}62088100C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CF6EBC) 734700x800000000000000099673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.908{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 10341000x800000000000000099672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.875{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000099671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.875{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000099670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.871{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000099669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.871{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000099668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.871{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CB0F3B) 10341000x800000000000000099667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.870{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000099666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.866{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000099665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.866{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA6406) 10341000x800000000000000099664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.866{F172AD64-79B2-63C6-8A02-00000000B002}62088100C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA38F9) 734700x800000000000000099663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.864{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationmscordacwks.dllMD5=34430BB4DBFA4814115EC8D42BE9B4CC,SHA256=9E5008F4B2B9A12EA4262647C1A6362E1CB96DFBC68B538E133B2A2A3CD9F33F,IMPHASH=749340B5A3E31B3E36A3A4A7F57CCF2DtrueMicrosoft CorporationValid 10341000x800000000000000099662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.863{F172AD64-79B2-63C6-8A02-00000000B002}62088116C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.861{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x800000000000000099660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.861{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x800000000000000099659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.861{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 734700x800000000000000099658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.860{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x800000000000000099657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.860{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.858{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000099655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.857{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.857{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.856{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.856{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.855{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.855{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.855{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.854{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000099647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.853{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x800000000000000099646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.852{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000099645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.852{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.851{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.851{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 11241100x800000000000000099642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.851{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FCB95EB752C5DF65722BA3DE25A3D86B4624C7A82023-01-17 10:36:10.850 11241100x800000000000000099641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.850{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\640FA401D143B2ADBB35C936BA4959C7016D665C2023-01-17 10:36:10.849 734700x800000000000000099640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.849{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 11241100x800000000000000099639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.849{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AEAD0C9CD75CA0CC17D22C4343C58A16A6DEC7042023-01-17 10:36:10.849 734700x800000000000000099638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.849{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000099637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.848{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 10341000x800000000000000099636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-79B2-63C6-8A02-00000000B002}62088116C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9424|C:\Windows\System32\KERNELBASE.dll+c3fe5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000099632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-79B2-63C6-8A02-00000000B002}62088116C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exeMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x800000000000000099630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-79B2-63C6-8A02-00000000B002}62088116C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-79B2-63C6-8A02-00000000B002}62088116C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.847{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.846{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.846{F172AD64-79B2-63C6-8A02-00000000B002}62088116C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.846{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe" 10341000x800000000000000099623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.846{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.841{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.840{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.840{F172AD64-7634-63C6-B901-00000000B002}49005540C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.644{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.642{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 354300x800000000000000099617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:07.672{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64566-false104.18.21.229-443https 10341000x800000000000000099616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.203{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.198{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.193{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:10.177{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 22542200x800000000000000099612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.533{F172AD64-7A02-63C6-A602-00000000B002}7764processhacker.sourceforge.io0type: 5 prwebsecure.sourceforge.io.cdn.cloudflare.net;::ffff:104.18.21.229;::ffff:104.18.20.229;C:\Program Files\Process Hacker 2\ProcessHacker.exe 22542200x800000000000000099611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:08.357{F172AD64-7A02-63C6-A602-00000000B002}7764processhacker.sourceforge.net0type: 5 projects.sourceforge.net.cdn.cloudflare.net;::ffff:104.18.10.128;::ffff:104.18.11.128;C:\Program Files\Process Hacker 2\ProcessHacker.exe 23542300x800000000000000070017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:11.074{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D251DC934F613C63B866074A996CEB2,SHA256=F45CC5C0C2F711EDF41CC08D79550F9C8251B8FCDCA95F61D85FA2A5D07AB303,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.922{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x800000000000000099741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.922{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=23ED78E279262B05B0688087681542F1,SHA256=4E59B3A563071DC1F1C16BD9948A945B668919EF4BB3AF5650955A1D299FD0D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.876{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.876{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.876{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.874{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.874{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.874{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x800000000000000099734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.625{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.625{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC0C8036439200345E83A5538F311F2,SHA256=1A7C0E86928532D467E267BCA03875B44A44C7095091F779BEFC392A094E73A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.375{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.373{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.370{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.368{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.365{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.363{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.360{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.358{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.353{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.351{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.341{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.338{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.336{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.334{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.331{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.328{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.325{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.323{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.315{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.314{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.285{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.283{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.283{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.282{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.281{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.266{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.245{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.233{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.221{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.218{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.189{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.183{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.169{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.163{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.162{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.160{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.157{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.155{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.152{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.151{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.149{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x800000000000000099689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.148{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x800000000000000099688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.106{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.105{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D19429596C418E5CCD01152A1F2DFC,SHA256=7071AA065F011893F15874A9B8251BE27565AB57A4D6BBAB07BB81468588400E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.102{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.101{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4091EFE1E055DEB603B44E5FC039E47F,SHA256=6BCE5598BC1B7C43FD8A546825F4FD22C5BA38C488B40F9A7F7E7B01744BE292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.010{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.010{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:11.009{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x800000000000000099760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.998{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.983{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.973{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.948{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.931{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.930{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.930{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.930{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000099752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.753{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.743{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.734{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.711{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.695{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.667{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.632{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.613{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000099744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.137{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:12.136{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69149744A77819D0C0B3BC05F590AFD,SHA256=CD13B32594AA6D8ECA2E527215F2587A826D2B16A49E44F4C3CAEFB68CC0C162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.910{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F19A34C418B5E37130C97F8CE8FDA51A,SHA256=6A1583995FAFF6D000EA0AE0D64392926079484702C66A055C74392B7DE74BBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A1C-63C6-6502-00000000B102}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7A1C-63C6-6502-00000000B102}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.369{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A1C-63C6-6502-00000000B102}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.370{F6EEFE7F-7A1C-63C6-6502-00000000B102}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:12.167{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3297B502366FAF8FF24F4E697E88B04C,SHA256=7A23BA11AB319E15BC8545C1FB7BED0FCD295E4651EB0806B4A512F4D44A6738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.507{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=825F8FCA44B8CC3B7DCC22F4E213EB6A,SHA256=30F498C7AA5173591684E8BC826334A4890253F2ADD503697C8DC7F2B0972160,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.447{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.436{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.405{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.394{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.367{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.359{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.341{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 354300x800000000000000070064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:11.156{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50383-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000070063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.332{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.326{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.323{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.320{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.317{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.316{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.313{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.311{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 23542300x800000000000000070051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.293{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCC013BC5DBBF55C0C64193AEF993EF,SHA256=DA3748B2158467AB5E82676FE3CBD2A8A1C34027B81EBB5A29AF76AD6A107DB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.270{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.252{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.234{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000099782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.897{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.860{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.848{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.837{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.828{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.819{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.806{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.800{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.608{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.608{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x800000000000000099772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.601{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.554{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.541{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.445{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.439{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 11241100x800000000000000099767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.252{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.252{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD178EEFE63769E95E8CB5372AE33DE,SHA256=D1DBAFAD8703D87ADA17D6B9652BE2217349BE68F550AB548A32D7BEA3B3C94E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.045{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.035{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.032{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.015{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.006{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000070043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.188{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.172{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.157{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.146{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.132{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.122{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.112{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.095{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:13.092{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.985{F6EEFE7F-7A1E-63C6-6702-00000000B102}5725472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.916{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A1E-63C6-6702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.916{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A1E-63C6-6702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.916{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A1E-63C6-6702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A1E-63C6-6702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A1E-63C6-6702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A1E-63C6-6702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.742{F6EEFE7F-7A1E-63C6-6702-00000000B102}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.739{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F7A299BAD1FDC05765D4C064EDE64B,SHA256=49213ABFA33C50835A06F89C94F01C27A5FD4575E44D5DDCE4D7696728A0D9C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:14.962{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:14.955{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:14.826{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:14.822{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 11241100x800000000000000099784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:14.363{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:14.363{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15F8BA5315415860EB5DEC99561C952,SHA256=F34F9465665741BA12CA20CFB002524D7B7C3D285D965CFCF305CAF7D68CF4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.272{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B7905AEBEB58EBE6A3E9228196BDF2EE,SHA256=AD4D67ADAD3BC9ADE64E64781E69EE888E7E357594C2B8D04FB1FA8905FDF5BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A1E-63C6-6602-00000000B102}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7A1E-63C6-6602-00000000B102}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.241{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A1E-63C6-6602-00000000B102}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:14.242{F6EEFE7F-7A1E-63C6-6602-00000000B102}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:15.891{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD42EF05533A07180801DC9DCBD175D,SHA256=EA61813B5F8E47FBE2D7EDA7651AD569231D6910126540CA97282B49BD67F022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.986{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.973{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 354300x800000000000000099819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:13.199{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64567-false10.0.1.12-8000- 10341000x800000000000000099818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.563{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.546{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.544{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.501{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.492{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.483{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.436{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.428{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.426{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 11241100x800000000000000099809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.380{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.379{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BEB626737A1BF696766428599D4A59,SHA256=EB39EED19AB2EA38AE63FF4C6DD348A29FE2AB25EE5EF4CC4D4A27B8DA2DF2CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.370{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.341{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.326{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.243{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.219{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.211{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.202{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.193{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.187{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.180{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.171{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.164{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.101{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.089{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.070{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.063{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.041{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.041{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:15.038{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000070120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.449{F6EEFE7F-7A20-63C6-6802-00000000B102}5165372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A20-63C6-6802-00000000B102}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7A20-63C6-6802-00000000B102}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A20-63C6-6802-00000000B102}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.263{F6EEFE7F-7A20-63C6-6802-00000000B102}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.998{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.996{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.996{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.996{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.995{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.958{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\msi.dll5.0.14393.5501Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=8454FDB332DD49B0845130AD4D8628F5,SHA256=AB9B968C07D381D070A68D3B5FBAC8632B0743A91286CB68FCF4CC0DF8C558E6,IMPHASH=921305700F902B8CB66358D10709E873trueMicrosoft WindowsValid 734700x800000000000000099911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.995{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.994{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.993{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.993{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.992{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.992{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000099905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.991{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.990{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000099903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.990{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000099902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.989{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000099901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.988{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.988{F172AD64-6CE6-63C6-0A00-00000000B002}6165072C:\Windows\system32\services.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.985{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.985{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.985{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.985{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.978{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000099894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.962{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x800000000000000099893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.932{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\aeinv.dll10.0.19645.1032 (WinBuild.160101.0800)Application Inventory ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationaeinv.dllMD5=755A21405D07E549C69DF671DF73448A,SHA256=CCD33B2EEB1C67BAB46A8E0B9A9AB912422D7FFC9F4F59DF1F1D39AA0F32F787,IMPHASH=2F216494C4782620ECD84B1887EE68C2trueMicrosoft WindowsValid 734700x800000000000000099892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.937{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x800000000000000099891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.937{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000099890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.937{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000099889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.936{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.936{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000099887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.936{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000099886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.935{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000099885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.935{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x800000000000000099884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.935{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.935{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000099882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.934{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000099881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.934{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000099880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.934{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000099879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.933{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.933{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.933{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.933{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.932{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000099874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.917{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000099873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.916{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000099872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.916{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.916{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000099870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.915{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.915{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000099868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.915{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.914{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.914{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.914{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.913{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000099863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.901{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x800000000000000099862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.910{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000099861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.909{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000099860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.909{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x800000000000000099859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.909{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000099858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.908{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x800000000000000099857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.908{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x800000000000000099856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.908{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x800000000000000099855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.908{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x800000000000000099854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.907{F172AD64-7A20-63C6-B102-00000000B002}65526428C:\Windows\system32\conhost.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.905{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000099852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.905{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000099851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.905{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000099850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.904{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.904{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.904{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x800000000000000099847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.903{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.903{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000099845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.895{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 734700x800000000000000099844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.903{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000099843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.903{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000099842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.902{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000099841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.902{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000099840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.902{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000099839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.902{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000099838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.892{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\CompatTelRunner.exe10.0.19645.1032 (WinBuild.160101.0800)Microsoft Compatibility TelemetryMicrosoft® Windows® Operating SystemMicrosoft CorporationCompatTelRunner.exeMD5=5DBC72807F88059BED692C58D3F165D1,SHA256=7AFF3A2D81851588FF0B2DF0BC1D18DDD8D7DFACF693B641A6390B4758C675A4,IMPHASH=073D2008CD517DAA64FE601CE086A682trueMicrosoft WindowsValid 734700x800000000000000099837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.897{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x800000000000000099836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.896{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x800000000000000099835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.896{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000099834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.896{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000099833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.895{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.893{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000099831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.893{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x800000000000000099830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.893{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000099829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.892{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.891{F172AD64-6CE8-63C6-1300-00000000B002}6807928C:\Windows\System32\svchost.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000099827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.494{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.493{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560FE65D0EED4D5198C8CD07D156D7C1,SHA256=FF2D9DD9212362710BD343219C33378CEF06BA9E879A503253D00410A9A824F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.123{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.060{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.040{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 10341000x800000000000000099822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.021{F172AD64-7A1A-63C6-AF02-00000000B002}81528124C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CA3CB3) 13241300x8000000000000000100002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:17.964{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplication\00003312f700c3d03614c2c9f93e32df9af300000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 13241300x8000000000000000100001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:17.670{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplication\00004ee7114ba1c474f7bbd42f8c9f930b0700000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 13241300x8000000000000000100000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:17.598{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplication\000068583dc536ea8c3daf81bdbdf12127d400000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 11241100x800000000000000099999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.569{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.569{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AD1056768FF7C0527522833D2F07E3,SHA256=5E2307F450B2ECDB67D144DE7124B701BCBEF5712E46C7AA9AE6C268013B9DCE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000099997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:17.524{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplication\000070aa163b48d93a6fb1c459f613fcd65f00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 10341000x800000000000000070149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.864{F6EEFE7F-7A21-63C6-6A02-00000000B102}36486068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A21-63C6-6A02-00000000B102}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A21-63C6-6A02-00000000B102}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.669{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A21-63C6-6A02-00000000B102}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.672{F6EEFE7F-7A21-63C6-6A02-00000000B102}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000070135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.450{F6EEFE7F-7A21-63C6-6902-00000000B102}58605832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A21-63C6-6902-00000000B102}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A21-63C6-6902-00000000B102}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.177{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A21-63C6-6902-00000000B102}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.178{F6EEFE7F-7A21-63C6-6902-00000000B102}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:17.006{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DA69E94896C24334C90CAB7867DF90,SHA256=A5435174CA1A1B54C5B919AB9E8401E4E9AC55599FB2BB993CFA0F322D5F6CB3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000099996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:17.381{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplication\000027bb02f51e48dc3e0db3390b300af68d00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 734700x800000000000000099995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.378{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 734700x800000000000000099994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.378{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DD,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000099993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.377{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000099992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.376{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000099991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.375{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000099990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.294{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\Windows.UI.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=D3F324CB3A994CE40D1059E08C8D83C6,SHA256=509339A871B7A42CE5C0307DE3DC1068BCDE461093CA2F2F87C75105FA306955,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 11241100x800000000000000099989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.308{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.308{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96C2293B826222E4D4668B8CB530FBF,SHA256=EDFA9BE2F5ED5676E6ACEB3AC0F1CC465322589A5EF1A11278F09DCDAC5BAFE5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000099987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 10341000x800000000000000099986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.297{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.297{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.296{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.296{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.256{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.255{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.255{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.250{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.249{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.249{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x800000000000000099976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.194{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x800000000000000099975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.174{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\msxml6.dll6.30.14393.5648MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=B82E1559DD59365F9C56E23434DA4FB6,SHA256=BA153BC8608EBE74778B362FFDA7805C7871199D6C9BD6819DC0239E84009900,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 10341000x800000000000000099974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.238{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0700-00000000B002}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.238{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0700-00000000B002}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.238{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0700-00000000B002}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.235{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.235{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.235{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.231{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.231{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.231{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000099965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.217{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.152{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2,IMPHASH=F5D44AC1D5D2912F6B871FE7D5604CEDtrueMicrosoft WindowsValid 10341000x800000000000000099959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B102-00000000B002}6552C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.133{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x800000000000000099951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.133{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\AppxPackaging.dll10.0.14393.4770 (rs1_release.211101-1440)Native Code Appx Packaging LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxPackaging.dllMD5=A58FBE599542C53E18601E647AA29EB3,SHA256=5F701623198094CE1A2C4B4D3582282BAB16EBBDC320FC143DCC0E8B329E445B,IMPHASH=E83FD6386910673ADF4407F03B084CAFtrueMicrosoft WindowsValid 734700x800000000000000099950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.104{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\Windows.ApplicationModel.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows ApplicationModel API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.ApplicationModel.dllMD5=CEF3C9261C59336E33920D12A0A88EE4,SHA256=80F69DD2F2C3293FA200D8C463B9C0B3A0F57E966AB3763689E662D6B8E2E48F,IMPHASH=75E17947EA5F1615946F8A33F101E206trueMicrosoft WindowsValid 734700x800000000000000099949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.089{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=3E6A8784A88486C59BA7E05BD97BED6F,SHA256=233AC68F140E2A5D856AE0DAEAB6930BD368F517B211FE1FC0FFCB55B915617A,IMPHASH=A28EA9ED587BD4511849B7BB44021022trueMicrosoft WindowsValid 734700x800000000000000099948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.135{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000099947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.134{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 10341000x800000000000000099946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.116{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000099945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.112{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x800000000000000099944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.105{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x800000000000000099943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.051{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x800000000000000099942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.049{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x800000000000000099941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.042{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4704 (rs1_release.211004-1917)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=7E027B814172825204990B59AA353DB6,SHA256=F6F12530FE0312540C3C1310D618EE4D9005199E90E1BB9B385CA086C54E20C1,IMPHASH=D4255358570CE65AE9390E07B2795ADCtrueMicrosoft WindowsValid 734700x800000000000000099940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.034{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x800000000000000099939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.029{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\mintdh.dll10.0.14393.5356 (rs1_release.220906-1211)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmintdh.dllMD5=ACE1C1ACEBEB109A2CD261AE9D3BD23D,SHA256=29B58C3067C72F6D86A7940C263606974578A49BCC91107C4116D863526C2F8D,IMPHASH=92D4FBE8F70FD95D329EA4882A8C3278trueMicrosoft WindowsValid 734700x800000000000000099938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.026{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\tdh.dll10.0.14393.5125 (rs1_release.220429-1732)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationtdh.dllMD5=6F455C95F294B3A3E34102BEF294D45C,SHA256=2182F234811B1DF1A366AE925A8167C0BC519AEBAF55A92887E36651EBA7E347,IMPHASH=E0A9B1840595F8507313FB797C5187E6trueMicrosoft WindowsValid 734700x800000000000000099937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.024{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862,IMPHASH=53CA7FAF1CEDFB0EC8CCD763B974D4A1trueMicrosoft WindowsValid 734700x800000000000000099936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.053{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x800000000000000099935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.051{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x800000000000000099934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.018{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\AppXDeploymentServer.dll10.0.14393.5582 (rs1_release.221130-1719)AppX Deployment Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentServer.dllMD5=467BAD1B7C3212156C64A2602EA6DC69,SHA256=F4FF2E13B651B300CF974238E453B4436F5A593AA4FAA5364CCFA044D78578F5,IMPHASH=17D28C3D59D0E856F7CB5D0D40C782C8trueMicrosoft WindowsValid 11241100x800000000000000099933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.045{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x800000000000000099932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.044{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EE1164470209277CFA0E05DFB4B3D1,SHA256=0526F660A7060145AA3A3649FBFF9B437AB38D509A2FC24A6E19424BE22E86B6,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000099931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.035{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000099930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.021{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x800000000000000099929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.020{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x800000000000000099928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.020{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x800000000000000099927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.020{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000099926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.020{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x800000000000000099925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.020{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x800000000000000099924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.019{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000099923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.019{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000099922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.019{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000099921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:17.018{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x800000000000000099920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.989{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.5582 (rs1_release.221130-1719)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=83557C9B0E94FCB9D5181D928563991C,SHA256=11FAEB577FAF552BE4FF2275195CD0B3471228EE56C25D38DE5261BF87DF48BA,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924trueMicrosoft Windows PublisherValid 734700x800000000000000099919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.982{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\AppXDeploymentClient.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)AppX Deployment Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentClient.dllMD5=C1B7C819744E85143C8D45AA3A169D95,SHA256=37F2C1098F17F739867866D49A63FB13F2BC246F3AED4998E0F84A8DAA876B6B,IMPHASH=25D44439F18A7678D22EBE0E51E0B433trueMicrosoft WindowsValid 10341000x800000000000000099918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:16.999{F172AD64-6CE6-63C6-0A00-00000000B002}616104C:\Windows\system32\services.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.895{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000100047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.895{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A20-63C6-B202-00000000B002}6808C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x8000000000000000100046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.607{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.606{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A28C077AF98031BF5AFB6A6F194A5D8,SHA256=2749C83C1119D63DB4A15D4EC2CE1CF0A5DFD48B50B73314154AD44701CF2C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:18.825{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D785BE59207A68343C99C24550667EF,SHA256=A99372636DCF85E0F387EA27F09CE8D2D132CBD95CE30E95608DB98E737AA93F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:16.172{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50384-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:18.113{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D277A040F625F9D51400433584FAF8C3,SHA256=8F88F9041EBFFE4CBD53FEFEA2676B43FB49C5356AB8E5CA6F7E84E44C8E00E0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000100044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\BinProductVersion5.1.55.828 13241300x8000000000000000100043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\LinkDate07/24/2021 22:41:54 13241300x8000000000000000100042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\Publisher(Empty) 13241300x8000000000000000100041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\LowerCaseLongPathc:\program files\npcap\uninstall.exe 13241300x8000000000000000100040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\BinProductVersion5.1.55.828 13241300x8000000000000000100039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\LinkDate08/29/2021 00:22:49 13241300x8000000000000000100038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\Publisherinsecure.com llc. 13241300x8000000000000000100037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\LowerCaseLongPathc:\program files\npcap\npfinstall.exe 13241300x8000000000000000100036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\BinProductVersion5.1.55.828 13241300x8000000000000000100035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\LinkDate08/29/2021 00:22:59 13241300x8000000000000000100034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.286{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\Publisherinsecure.com llc. 13241300x8000000000000000100033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:18.285{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\LowerCaseLongPathc:\program files\npcap\npcap.sys 13241300x8000000000000000100032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.285{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplication\0000663de35f4d04146ae36ebf14122b6e9f0000ffff\PublisherNmap Project 734700x8000000000000000100031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.241{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 13241300x8000000000000000100030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\unins000.exe|2330fed5e756b8e9\BinProductVersion0.0.0.0 13241300x8000000000000000100029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\unins000.exe|2330fed5e756b8e9\LinkDate06/19/1992 22:22:17 13241300x8000000000000000100028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\unins000.exe|2330fed5e756b8e9\Publisher(Empty) 13241300x8000000000000000100027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\unins000.exe|2330fed5e756b8e9\LowerCaseLongPathc:\program files\process hacker 2\unins000.exe 13241300x8000000000000000100026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\processhacker.ex|8599f41d46db8e32\BinProductVersion2.39.0.124 13241300x8000000000000000100025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\processhacker.ex|8599f41d46db8e32\LinkDate03/29/2016 01:34:01 13241300x8000000000000000100024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\processhacker.ex|8599f41d46db8e32\Publisherwj32 13241300x8000000000000000100023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\processhacker.ex|8599f41d46db8e32\LowerCaseLongPathc:\program files\process hacker 2\processhacker.exe 13241300x8000000000000000100022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\processhacker.ex|5edc097cc74955ec\BinProductVersion2.39.0.124 13241300x8000000000000000100021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\processhacker.ex|5edc097cc74955ec\LinkDate03/29/2016 01:33:55 13241300x8000000000000000100020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\processhacker.ex|5edc097cc74955ec\Publisherwj32 13241300x8000000000000000100019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:18.238{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\processhacker.ex|5edc097cc74955ec\LowerCaseLongPathc:\program files\process hacker 2\x86\processhacker.exe 13241300x8000000000000000100018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\peview.exe|5b12b9a41a313efc\BinProductVersion2.39.0.124 13241300x8000000000000000100017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\peview.exe|5b12b9a41a313efc\LinkDate03/29/2016 01:33:59 13241300x8000000000000000100016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\peview.exe|5b12b9a41a313efc\Publisherwj32 13241300x8000000000000000100015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\peview.exe|5b12b9a41a313efc\LowerCaseLongPathc:\program files\process hacker 2\peview.exe 13241300x8000000000000000100014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\kprocesshacker.s|a12112d15e8ccfda\BinProductVersion3.0.0.0 13241300x8000000000000000100013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\kprocesshacker.s|a12112d15e8ccfda\LinkDate03/28/2016 18:20:42 13241300x8000000000000000100012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\kprocesshacker.s|a12112d15e8ccfda\Publisherwj32 13241300x8000000000000000100011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplicationFile\kprocesshacker.s|a12112d15e8ccfda\LowerCaseLongPathc:\program files\process hacker 2\kprocesshacker.sys 734700x8000000000000000100010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.234{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\devrtl.dll10.0.14393.0 (rs1_release.160715-1616)Device Management Run Time LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationDEVRTL.DLLMD5=103D84E49F517098C0E8E14044BB1F73,SHA256=370BAADCA5D39C94A532D2E80EBA6CA537B47E41038A332412AEE4BBA5F025B9,IMPHASH=5DE6FAFA9C141BF53E629553C4AB42FBtrueMicrosoft WindowsValid 13241300x8000000000000000100009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:36:18.237{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{cbd79aad-d66d-d519-7959-1b72127c6647}\Root\InventoryApplication\00003935e2d441f1ee4d1ac21deda1e374f60000ffff\Publisherwj32 734700x8000000000000000100008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.232{F172AD64-7A20-63C6-B002-00000000B002}6480C:\Windows\System32\CompatTelRunner.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 11241100x8000000000000000100007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.180{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:36:18.180 11241100x8000000000000000100006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.027{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 13:16:44.659 23542300x8000000000000000100005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.025{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8DC6E15799347B213D8925496DD499A8,SHA256=1122447CE9469A41A55002CE0F32162C773C188D552336C0549B9C999576D879,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.017{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000100003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.014{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDCFE61720B34DA99389C72C7F5DF372,SHA256=F0379EC563D3F1B2DD82C471A970950DE97A05852DBC31F9F6A1ED4B526BBC81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A23-63C6-6B02-00000000B102}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7A23-63C6-6B02-00000000B102}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.461{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A23-63C6-6B02-00000000B102}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.462{F6EEFE7F-7A23-63C6-6B02-00000000B102}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:19.212{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173FB06A07EA7336B543D7921A17138A,SHA256=697902741903AC364C4EF4A11F6E60F1DCE166B706348ADC696B99B3E22F89D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.975{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url2023-01-17 10:32:00.888 23542300x8000000000000000100060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.975{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.urlMD5=82C914A69E3F38B4B266B0C2EF55807A,SHA256=D16ED1A306F4A062BF2D88AF0240230E545F7D368B468220D4378164F5340875,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000100059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.961{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000100058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.960{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000100057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.960{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000100056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.960{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000100055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.959{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000100054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.959{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000100053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.696{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.696{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000100051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.691{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.691{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D8489FC9C253DC90CFD06874A20043,SHA256=E8F87B11AC2AF89C2076213AF539CD0FFA6090B7EA5D1A9CC0DDF19F5AD8060F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:36:19.357 23542300x800000000000000070167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:20.400{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7FD0AAC3D6198BEAB1B451292CA44B,SHA256=541F9F52F3768AA7DF18C46E32A1DB43DBF3C3E171888A8E832A4751E75770A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.970{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.969{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66256195C6A821E25540318CC490E871,SHA256=C3B7D5BC7D11CA16420723FD75462789A434F951283F21FA1A2C3995C5FE34ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.961{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 734700x8000000000000000100210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.899{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.899{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.898{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.897{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.895{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.895{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.893{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.893{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000100202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.892{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.874{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.874{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.874{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.874{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.873{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.872{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.872{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000100186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.872{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.871{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.871{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.871{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.870{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.870{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.870{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.870{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.869{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.869{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.869{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.869{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000100174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.868{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.867{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.867{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.866{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.866{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000100169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.866{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.866{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.866{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000100166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:18.348{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64568-false10.0.1.12-8000- 10341000x8000000000000000100165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.866{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.865{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.865{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.710{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000100161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.804{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.804{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.804{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000100158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.802{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000100157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.802{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x8000000000000000100156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.799{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.799{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.799{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000100153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.797{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000100152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.796{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.796{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.796{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.795{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.794{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000100147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.793{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.791{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000100145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.791{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.790{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.788{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.787{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.787{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.787{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000100139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.786{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000100138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.785{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.785{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.784{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.783{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000100134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.782{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.782{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000100132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.726{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.725{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDD36E517B73707D11FC687014FE5E5,SHA256=FFB41525FEEB6E4FDFC8BA8F6ED1F461657FD6F1BE5CF3876223D53414972714,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000100130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.312{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.310{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.310{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000100127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.286{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000100126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.285{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A27B662A0994D64DB0EEC0791439C32B,SHA256=C53B69EBEDC7DB9695C449F89E6BA9D552510A11987FFA51305362B96FD1F0EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.261{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.260{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC4E13F1A798E20C80188847009BA73,SHA256=44EF8FC632A347E92F5506349D9426FED70D00CC40C2181E00119B11660B1C5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.257{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.256{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.256{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.130{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.129{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.129{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.128{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.126{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.126{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.125{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.124{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000100108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.117{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 11241100x8000000000000000100107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.116{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Desktop\read_it.txt2023-01-17 10:32:00.919 23542300x8000000000000000100106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.115{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Desktop\read_it.txtMD5=8B7C16186EDA725A280AE9F7E7EA9B43,SHA256=F59448977DB86356CFFDF951CEF0B2273F83641DB68A8BD1F6170F8FB07AC44B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.113{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Desktop\Process Hacker 2.lnk2023-01-17 10:35:45.881 23542300x8000000000000000100104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.113{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Desktop\Process Hacker 2.lnkMD5=A64DAAE01C0CDCCE4814070C6BBBB2A1,SHA256=199F33A44A339D3CF379B1BA20845C9F1E689A2674D2B5267F3C74334644E507,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000100103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.111{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.107{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.105{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.105{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.104{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.103{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.099{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.096{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.095{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.093{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.093{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.093{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.092{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.092{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.092{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.092{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.092{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.091{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.091{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.091{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.090{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.090{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.090{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.090{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.089{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.089{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000100077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.089{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000100076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.088{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.088{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.087{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.087{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.087{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000100071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.086{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.086{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.086{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.086{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.086{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.085{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:19.935{F172AD64-7A23-63C6-B302-00000000B002}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000100064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.046{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.045{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.045{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 23542300x800000000000000070168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:21.590{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B63D3F0EA15C3D32062033FA9A328E,SHA256=A6B47793C973B32089231841576365D5556D18030ECD36F843DF327D776EA864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.951{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000100284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.951{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000100283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.951{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 734700x8000000000000000100282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.948{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.948{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.947{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.947{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.945{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.945{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.944{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.944{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000100274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.937{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000100273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.937{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.937{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.936{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.936{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.936{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.936{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.935{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.935{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.935{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.935{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.935{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.935{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.934{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000100251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.933{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.933{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.933{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000100248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.933{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000100247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.933{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000100246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.932{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000100245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.932{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.932{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.932{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000100242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.931{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.930{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.930{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.929{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.929{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000100237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.929{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.929{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.929{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.929{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.929{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.928{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.721{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000100230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.369{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.369{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.369{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.368{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.368{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.368{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000100224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.219{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.218{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.218{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A24-63C6-B502-00000000B002}7196C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.081{F172AD64-7A24-63C6-B402-00000000B002}79167444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.081{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.080{F172AD64-7A24-63C6-B402-00000000B002}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000100217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.022{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.022{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.022{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000100214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:21.021{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000070169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:22.687{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790F1B3CE3BEDE0567B1D6AFC2ED729D,SHA256=C9079C1F1C4B403FF046FDA020029B2EAEA293583960730F07862ECBF56F826C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:22.981{F172AD64-7634-63C6-B901-00000000B002}4900ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000018.dbMD5=F23D2F2B45A76ED3BB9BD3A3FE518279,SHA256=3476A34A5FDB790F24FFAF21D3FD2799DE7AF639A103893759395FD1832217A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.770{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64569-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x8000000000000000100293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:20.770{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64569-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 11241100x8000000000000000100292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:22.739{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000019.db2023-01-17 10:36:22.739 734700x8000000000000000100291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:22.125{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:22.124{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:22.123{F172AD64-7A25-63C6-B602-00000000B002}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000100288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:22.049{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=791D34B5E6D80E23DC3B3FD2863E4C5A,SHA256=E62EFF1FFDCFAE4A981992CE1E2AADB875836172CBD5C14B2FC24707C2F04CA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:22.004{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:22.004{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A715E1A349EE07E9264BCEA3A5CCEF,SHA256=BD1272187E2E1A6EB8DA4943909B5C76ED73FB81D4A92B9170A67CDC7709F95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:22.218{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50385-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:23.768{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8271846E80AC2C343221E14313591B8,SHA256=C5F2023BFC8450305779F94C3D1343ED293A00B887BBF18CDBC50E7137F1CE4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:23.025{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:23.025{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707EDBD6936C027C80BCFF4C73FC2C51,SHA256=B6A9E314C272A873D6C82815DC05E3A84918D6DEC4CBEAF92155AC7715C0E794,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:23.023{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:23.023{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CF0C9D5D9AA8FC4AA75D209AEB62CB,SHA256=86EE5BA10E4F97B826724EF2383A2580C8EB9408107C42112DCFBADF50CC2884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:24.861{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E6598AC543678D29821048C828410C,SHA256=6C59C68B9A1164BA193EDF6DDA07E4F5B2CA5F5A3957557F294CC7EF4CB6C747,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000100357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.555{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.555{F172AD64-7A28-63C6-B702-00000000B002}29285328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.547{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.546{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000100353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.375{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.374{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.374{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.372{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.371{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.370{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.370{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.370{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000100345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.363{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.363{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.362{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.362{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.362{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.361{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.361{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.361{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.361{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.361{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.360{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.359{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.359{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.359{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.359{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.359{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.359{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.358{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000100319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.358{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.358{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000100317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.357{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.357{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.356{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.356{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000100313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.355{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.355{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000100311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.355{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.355{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.355{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.355{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.354{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.212{F172AD64-7A28-63C6-B702-00000000B002}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000100305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.247{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\read_it.txt2023-01-17 10:32:01.013 23542300x8000000000000000100304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.247{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\read_it.txtMD5=8B7C16186EDA725A280AE9F7E7EA9B43,SHA256=F59448977DB86356CFFDF951CEF0B2273F83641DB68A8BD1F6170F8FB07AC44B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.106{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win32.zip2023-01-17 10:32:47.572 23542300x8000000000000000100302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.106{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win32.zipMD5=F6FE2BD46F091E4C7494F8DF876D6C9D,SHA256=3CB7340B5B0B250A5B8D6CBF45BEE4355BE09C9A4D4FE2B2FAC9ABD5C7B95EFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.031{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.031{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B80127FB015D8F6368EE3ED08B1D16,SHA256=8E6A992AD4F8E23F55044D92B473E32DC028F82EF6F5731EE404CC5713F7D15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:24.602{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-054MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:25.929{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395F6A6223EB549FC00AF7E4630D7730,SHA256=A42FDEE529556DA60270E05B0C273D316CFF1424B2CA9F9DAB47E8229E88CF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:25.607{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-055MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000100469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.932{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.932{F172AD64-7A29-63C6-B902-00000000B002}77687276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.932{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.931{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000100465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.897{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.897{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2024576EE8B8C6886FE1C7A95275A707,SHA256=12DD8E298518C7493B76FBE3E37B1A9B4F0CA30BAA17DD59C2BED16A04B73D9D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000100463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.778{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.777{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.777{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.776{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.775{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.774{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.774{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.774{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000100455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.768{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.768{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.767{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.767{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.767{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.767{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.766{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.766{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.766{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.766{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.766{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.765{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.764{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.764{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 11241100x8000000000000000100428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.763{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.763{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B19AC783E05BCC065C0E82E2CBADA5,SHA256=7AA5B5EFE25FB6A49B8AA0870FF2385B26CC2BDAAE68BC433547EC24579D5286,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.763{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.762{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.761{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.760{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.760{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000100421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.760{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.760{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.760{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.758{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.758{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.758{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.758{F172AD64-7A29-63C6-B902-00000000B002}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000100414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.559{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000100413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.558{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC9F61BF600AD1346CD4EEDDD38C2A65,SHA256=5A351E353287C90810E496D79381DC903BC3F7CAC51E0E76AEBAC1A557A2E834,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000100412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.381{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000100411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.381{F172AD64-7A28-63C6-B802-00000000B002}52241008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.381{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.380{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000100408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.215{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.214{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.168{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.167{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.167{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.166{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.164{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.164{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.164{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.163{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000100396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.157{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.157{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.157{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.156{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.156{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.156{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.156{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.156{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.155{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.155{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.155{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.155{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.155{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.155{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.154{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.154{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.154{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.154{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.154{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.154{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.154{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.153{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.153{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.153{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.153{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.153{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.153{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000100369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.152{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.151{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.151{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.151{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.150{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000100364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.150{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.150{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.150{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.149{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.149{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:25.149{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.985{F172AD64-7A28-63C6-B802-00000000B002}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000100533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:24.277{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64570-false10.0.1.12-8000- 734700x8000000000000000100532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.732{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000100531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.730{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000100530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.730{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000100529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.578{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000100528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.577{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000100527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.577{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000100526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.576{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.575{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000100524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.575{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.574{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000100522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.568{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000100521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.568{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000100520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.562{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000100519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.562{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000100518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.562{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000100517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.562{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.562{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000100515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.561{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.561{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000100513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.561{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000100512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.561{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.561{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000100510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.561{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000100509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.561{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000100508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.561{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.560{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.560{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000100505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.560{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000100504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.560{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000100503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.560{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000100502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.560{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000100501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.560{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.559{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.559{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000100498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.559{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000100497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.558{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.558{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.558{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.558{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000100493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.557{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.557{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.556{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.556{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.556{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000100488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.555{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.555{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.555{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.555{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.555{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.554{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.417{F172AD64-7A2A-63C6-BA02-00000000B002}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000100481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.416{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.415{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C6BBBEAC1AFCD03BC97E2AAD5C4059,SHA256=B82BFD2F8B296F8AD46A3B5D975DFA68A5CD4B26E391E7638DFFE40D13CC5A84,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.159{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\cSCy3q46Wo4cESqiBew1WQ==.ico2023-01-17 10:36:26.158 11241100x8000000000000000100478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\HAH+3ZvDqa8xcQU3P3+IOQ==.ico2023-01-17 10:36:26.158 11241100x8000000000000000100477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.157{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\rSYQu1JwGIRAZdMss7YxNg==.ico2023-01-17 10:36:26.157 11241100x8000000000000000100476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.156{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\0L+KjXKAt+WxtKOrF8U22w==.ico2023-01-17 10:36:26.155 10341000x8000000000000000100475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.154{F172AD64-7634-63C6-B901-00000000B002}49004560C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E22B3998)|UNKNOWN(FFFF8AA9E22B3B17)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 11241100x8000000000000000100474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.154{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\jumpListCache\YbYrOZkEvKD+ZYBasOELmw==.ico2023-01-17 10:36:26.154 10341000x8000000000000000100473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.154{F172AD64-7634-63C6-B901-00000000B002}49004560C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E22B3998)|UNKNOWN(FFFF8AA9E22B3B17)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.154{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3469e8.TMPMD5=C4BF47B7944C2AC368467A974140B9E1,SHA256=24E9F247BB367A3EC37CB3145066B4764F7B34C710B9013BE83E6ED4F49D02C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.152{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3469e8.TMP2023-01-17 10:36:26.152 11241100x8000000000000000100470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:26.149{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHS5F6WAAVVUNBT9DITS.temp2023-01-17 10:36:26.148 11241100x8000000000000000100535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:27.451{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:27.451{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA3C99FAEBA7AC847F3E0C468AC5AC6,SHA256=FBD41A871DE8DF2E1DC3389B650BDC44711C4ECE702888A386090D585F2758B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:27.260{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46106147772AEB50811A5D6B4BC004C,SHA256=4CA3E65C245CF47C684EB482C228C2763E30C207E0DB486C73097001BF5C5E35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.979{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.xml2023-01-17 10:32:58.373 23542300x8000000000000000100591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.978{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.xmlMD5=4279FBA772C17F6DBE3AF8C58FCA0D55,SHA256=717D6B7720D66367AA34AA9A469B06266DDCDA5167A57125E3C68E70B9847D61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.942{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.pdb2023-01-17 10:32:58.372 23542300x8000000000000000100589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.942{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.pdbMD5=686D5FB16EEAA0C172A965B3A4A465E1,SHA256=82B0F05EA5394C8C80D871B1E0608CC17FDBA23B506E0E31524B00702A311CC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.917{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.xml2023-01-17 10:32:58.371 23542300x8000000000000000100587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.917{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.xmlMD5=7E7966F8C5B6AC43AE9FA2B0DBEEC912,SHA256=B1523F8875F244C09EEAF5C2C3487F63E30DF26CB774D5D9F39F8F6279241310,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.897{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.pdb2023-01-17 10:32:58.371 23542300x8000000000000000100585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.897{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.pdbMD5=0330B0F7A9B0AE3C0538259F98ACE331,SHA256=AF7B2DFE53D5D8EBC90D1F9B1EF0810C7BABD6D9BFB948B517308E12329A77C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.872{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.xml2023-01-17 10:32:58.366 23542300x8000000000000000100583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.871{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.xmlMD5=CE5852666F219AF8D69C36340615FCB6,SHA256=5A7DDA2E73EFDBF6B28AEC769F806281B5055738330DB9307066A7F8EF2150D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.852{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.pdb2023-01-17 10:32:58.365 23542300x8000000000000000100581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.851{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.pdbMD5=D59044D33333488516B5A8E6DDD9D35A,SHA256=D67C4B7628290E2A372439193E924A872CD28E888FD832C54DE4C8B803CA230F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.828{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.runtimeconfig.json2023-01-17 10:32:58.362 23542300x8000000000000000100579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.827{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.runtimeconfig.jsonMD5=C0BBAE9A92C0004F0E48A1303834A4F1,SHA256=D73D166ED2C36560E74CCD1067673BC17C881D570E09394DDD5EF0FFD3D9E8A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.808{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.pdb2023-01-17 10:32:58.361 23542300x8000000000000000100577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.807{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.pdbMD5=750B66460DA1802E669ABD54781B72E2,SHA256=29CDC659A8192F35E5BE68B58B5F4A0BA1D794176FE33831C459DA013EB59688,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.785{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.deps.json2023-01-17 10:32:58.348 23542300x8000000000000000100575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.785{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Console.deps.jsonMD5=032F68EB3106BC497ABD737BF7D4D3D4,SHA256=4C57145BA55A67BF643B7534BA59180806D1F01513AEC08EF8AD081CC07E9223,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.763{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.pdb2023-01-17 10:32:58.348 23542300x8000000000000000100573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.763{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.pdbMD5=1F039AD6072B7FD8EFC3E43CA81157AA,SHA256=010AD66254D4D32F167767B1108084E7FB838738DEFD9D310AFFA7141A83248B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.738{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.deps.json2023-01-17 10:32:58.344 23542300x8000000000000000100571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.737{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.deps.jsonMD5=ED9ABA5A89C11A00C158434A5FAA263F,SHA256=AF0DDF7A8FADF48F8C4C70287A09ADD3DAB9C2347304FD97F365D06D277CD666,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.711{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.pdb2023-01-17 10:32:58.338 23542300x8000000000000000100569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.711{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.pdbMD5=2E68AB5490E3BD2C1516BE23D6443A49,SHA256=1329658F2F218E37E7BA29C39BEC66235392664718281B6FC4A6297284505FA7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.651{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.deps.json2023-01-17 10:32:58.322 23542300x8000000000000000100567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.651{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.deps.jsonMD5=32C97FD1685E17A04B899CA4B4933052,SHA256=D33ABBBD41DB8A5745AD4B9E5531C05313C21B3EBADCDBDED2B6B08598BB6CDB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.625{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.pdb2023-01-17 10:32:58.320 23542300x8000000000000000100565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.624{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.pdbMD5=51B457C655717C99FAB62CEDBBDD1F2A,SHA256=1137B6041041B668F45E2AF8A488315F314EFDA943916C99CEA3E5459A21E31A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.600{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\read_it.txt2023-01-17 10:36:28.600 11241100x8000000000000000100563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.599{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.deps.json2023-01-17 10:32:58.316 23542300x8000000000000000100562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.598{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.deps.jsonMD5=896AA14C0F3CD398BFE67BDEB91AFC17,SHA256=34A0D085A0316E58C25478F66C8E4E918851C4883EA32E4E7234F0DA5494802C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.529{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.528{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2087F8CBD642A9D71854FEE41FE9F534,SHA256=3C2586B3752C57E56B596CBE8BE9300CD896F7CAA1BF22A5EAEDA72D5FE3A18B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:28.360{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40476D138CEBEF24A58D441D1B95F815,SHA256=68326E04E5FDB93B1B03730A9593D2DD696F522F6DC034CD815C133C6D30731C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.411{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64.zip2023-01-17 10:34:05.896 23542300x8000000000000000100558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.411{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64.zipMD5=4800FD15179864EDEF2FB70788A042A2,SHA256=78D855AEF02D87195DDDE4F4A89F16F03708E66EC8282CF8EB9ECC89DD469F6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.192{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.185{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.178{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.176{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.175{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.169{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.165{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.164{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.162{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.157{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.147{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.142{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.136{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.128{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.121{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.081{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.070{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.064{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.056{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.049{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.013{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:28.008{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000070179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:28.178{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50386-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:29.556{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23372A40346F0AEEBB4F423CBC0FE97F,SHA256=44B6CF5B93C1803B09C7AE289C09D920592B54433A3D71BF45BD128C4744CB34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.999{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.pdb2023-01-17 10:32:58.556 23542300x8000000000000000100653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.998{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.pdbMD5=8969C45D7977F33CA436D48C8EEF5C57,SHA256=4115BB998BA008AA110863AEEA120E2469A5CD72FCCF3EDD346DD6A6978D876B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.989{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.989{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E460DDD66AE98BA877EBFE40FBAB8A,SHA256=3EFF3AE0E673822813BEC2304B2993B12BB7D7FC2D7233FF64AFCD0B42BEF758,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.968{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.Internal.pdb2023-01-17 10:32:58.554 23542300x8000000000000000100649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.968{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.Internal.pdbMD5=7DE1D23692D54AACFEAA933B5CE0F059,SHA256=1847B868853D3DC5F4AD6D5AEB08C7F2A6CA8E05BE04976079E891EB47BF81D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.946{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.EditorFeatures.pdb2023-01-17 10:32:58.552 23542300x8000000000000000100647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.945{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.EditorFeatures.pdbMD5=8C9FAE659F70654C4CC0316B145FE30F,SHA256=8481113D741992FA45C33212D69983C1C5447F07148123862E7E7E51551D1528,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.925{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.Internal.pdb2023-01-17 10:32:58.542 23542300x8000000000000000100645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.925{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.Internal.pdbMD5=5529A408CAFF1769B7BC3F56FEA24812,SHA256=AE52495BAA7A691DA66A745E3F7645C888664B2AABE05D0F6DD0F5623E063CAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.905{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.EditorFeatures.pdb2023-01-17 10:32:58.540 23542300x8000000000000000100643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.904{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.EditorFeatures.pdbMD5=392AE708B3C632893F8244C5536F7847,SHA256=59F0468B3C63537B895EECB2EE7AA2AE98B16FED037825D72D2BB78AFF6525CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.880{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.pdb2023-01-17 10:32:58.520 23542300x8000000000000000100641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.880{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.pdbMD5=5C8025C13065562871D9EDA52BF19BC1,SHA256=694B1A5D6A3F366EB3FD51BCE5BBF4A3BD33913F0AEFF13FD44BF1137DCCE5FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.784{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Images.pdb2023-01-17 10:32:58.518 23542300x8000000000000000100639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.783{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Images.pdbMD5=568433F31D561DB2DBC41BA2C01AB122,SHA256=E0F9B6E0B294FA9C85603974A83176FCFB8C3ACF8B4F793FCBEDBD45A2CF6209,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.763{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.deps.json2023-01-17 10:32:58.481 23542300x8000000000000000100637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.763{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.deps.jsonMD5=F7097BA79CAF67216CA6396612B5B103,SHA256=8BE71D9E9C86ADE76E8C938349C0D8A3A7261BC0CD42BCF4539C052A17E2F572,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.732{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.pdb2023-01-17 10:32:58.477 23542300x8000000000000000100635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.732{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.pdbMD5=C9565685378D27E2A983CDE23FC7CC7B,SHA256=93433D8CFEA83D207F335F47EBFA11988E1FC3792C1640D797DE334E64C1C08D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.709{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.pdb2023-01-17 10:32:58.475 23542300x8000000000000000100633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.708{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.pdbMD5=90AD1B553C7618735B1FBB863CD38246,SHA256=EC49C62FF5C14C6C770934F9188641E6510453BFCD1F04750D3B2D86B42C0E96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.689{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.deps.json2023-01-17 10:32:58.473 23542300x8000000000000000100631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.688{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.deps.jsonMD5=FECE0FD46698E6F37D097469F706A6AC,SHA256=944F2F019B9C52CC425BBFB81FF5B6F126841090B41E007916E4E46BB7FA38A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.665{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.Core.pdb2023-01-17 10:32:58.473 23542300x8000000000000000100629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.665{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.Core.pdbMD5=66581A97A63797D3978A399734CD02D5,SHA256=5E67A1EABFA5BD1888F290149E159CF1CCC9B4D582B35CF8789983CAA0AC1600,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.643{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.pdb2023-01-17 10:32:58.463 23542300x8000000000000000100627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.642{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.pdbMD5=B1531ACB8044C692F961EAD06DF8F7DC,SHA256=12B70953E5ACB804DF04C3BE195F2CB79B435DD52D1748C500A0040F6F4A3389,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.597{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.deps.json2023-01-17 10:32:58.448 23542300x8000000000000000100625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.596{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.deps.jsonMD5=D2EBAA90E40477C3C806A727B3429270,SHA256=7D84E09E1CF55B6ACA34D2D6C4A5343B0A43AD7F1224EEE763F2C7988AEAA1CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.573{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.pdb2023-01-17 10:32:58.446 23542300x8000000000000000100623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.573{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.pdbMD5=BC5FFA03459673DC92F4BEA97FDDD28C,SHA256=35E4A744FC3751D32B419D1EDC6E4707FA51DC69837AA032E4772484251CEB20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.543{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.deps.json2023-01-17 10:32:58.440 23542300x8000000000000000100621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.543{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.deps.jsonMD5=B4DEFBB1E756CBA08381C269BD04A50C,SHA256=3ACC11A717D7FBCFF22FE973DB256DFDE388F54226083FA06EDDA20721181135,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.520{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.pdb2023-01-17 10:32:58.434 23542300x8000000000000000100619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.519{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.pdbMD5=52AC60A7EE3014A5AA83206BAA98A3F3,SHA256=07D364BF3BA12D31B73C519804611E7BAEAA8635157F6B02E1C3AC91B47E85E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.494{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.deps.json2023-01-17 10:32:58.429 23542300x8000000000000000100617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.494{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.deps.jsonMD5=89189EA4DC6309CA58A1D4C0B90B128D,SHA256=1A074FBB0FB68521EA010C4D78AD709AC0F6E7D9F850FF31582D0C28DA71940A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.466{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.xml2023-01-17 10:32:58.427 23542300x8000000000000000100615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.466{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.xmlMD5=E6AFCA2F3ACEC02484877E9091A19C2F,SHA256=E3EC492F3715E875E47B291B5EF49370E4A004AE2FF68E88186A3701E7670159,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.416{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.pdb2023-01-17 10:32:58.425 23542300x8000000000000000100613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.416{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.pdbMD5=9707E5BF53373A5805139D7E44CB7C6B,SHA256=09B3B5C75B281EA2BD51CBE02CB81756C7FC8F5C59D53A78213E84A5E3A31663,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.386{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.xml2023-01-17 10:32:58.420 23542300x8000000000000000100611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.385{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.xmlMD5=059A3124E76E32F2F7528366E9B20433,SHA256=40E2B57FA18258F9C5769C914CCF38CFBEAFB6D75B8F994BA7891FAA4BE80731,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.363{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.pdb2023-01-17 10:32:58.419 23542300x8000000000000000100609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.363{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.pdbMD5=0EBBB8E09931176318A336ED0DBFB8F5,SHA256=1172313DE45E47B5D6CC2835743B1A83C6B01A462B6AEB48539C38AB623852FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.342{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.pdb2023-01-17 10:32:58.415 23542300x8000000000000000100607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.342{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.pdbMD5=FFDC1B44064E2FEC4C1684DBB9FE9E2C,SHA256=54D2D6EA3848409104F37CB8760BE7113D1358B3731947935607BAA4A39BE6C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.307{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.deps.json2023-01-17 10:32:58.407 23542300x8000000000000000100605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.307{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.deps.jsonMD5=8ECBA0E391875DA9D42B00829C840A69,SHA256=BB216FC68CA4432367259CA5F193A8AB585E6037FCF96CA84140F7C9589DE4B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.283{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.xml2023-01-17 10:32:58.406 23542300x8000000000000000100603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.283{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.xmlMD5=0B62386C2238C2FBABEBAA69DAE2FF4C,SHA256=33FDA0EE7AC15BF11A83CDE235FCFF8229FEB193945D41798A69F971D872F4F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.249{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.pdb2023-01-17 10:32:58.405 23542300x8000000000000000100601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.248{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.pdbMD5=5799E503F4C7ED6DA36CD1F6190CE0D2,SHA256=16D34A2808D5A0273EEA930AC06685A4A88E4CA0768C3D95DE4E8EFF880F852D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.210{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.xml2023-01-17 10:32:58.393 23542300x8000000000000000100599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.209{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.xmlMD5=1B45548C71A6C88CA4878A029412F4AA,SHA256=DBAB17022644D59DDC1E4EF029A8C3E4D21982F824ADA1D4D58F2951F8A5C59B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.102{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.pdb2023-01-17 10:32:58.389 23542300x8000000000000000100597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.102{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.pdbMD5=CFD22ACD47EC42DA2364C0566C047ED7,SHA256=4A0E0B0E853FE99588D1B24F8F3C2476477BA757535EC021D11BFB1C5143DF51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.060{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.xml2023-01-17 10:32:58.373 23542300x8000000000000000100595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.060{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.xmlMD5=E8D42A76E5CC5B47E133942DEF4A39C9,SHA256=446228E59AD01EAA3C60FE03AE5A7464AB6F3434A64ED72664057B3718C8D436,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.003{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.pdb2023-01-17 10:32:58.373 23542300x8000000000000000100593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:29.002{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.pdbMD5=8BB4035205EFE47317D12571C1BCFD23,SHA256=39AD51A6542ACFFFB227AF16CCA17E5E06DA25AD8ABEAAE2A5835C6726934D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:30.750{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4339D4C99354BE33194AB80614883FBB,SHA256=CCDF58E81229CB77E27E5185F23029D269AC61CE3637CDE179610A83D4D745E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.999{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.pdb2023-01-17 10:34:19.374 23542300x8000000000000000100741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.999{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.pdbMD5=8BB4035205EFE47317D12571C1BCFD23,SHA256=39AD51A6542ACFFFB227AF16CCA17E5E06DA25AD8ABEAAE2A5835C6726934D9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.975{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.xml2023-01-17 10:34:19.374 23542300x8000000000000000100739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.975{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.xmlMD5=4279FBA772C17F6DBE3AF8C58FCA0D55,SHA256=717D6B7720D66367AA34AA9A469B06266DDCDA5167A57125E3C68E70B9847D61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.942{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.pdb2023-01-17 10:34:19.374 23542300x8000000000000000100737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.942{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.pdbMD5=686D5FB16EEAA0C172A965B3A4A465E1,SHA256=82B0F05EA5394C8C80D871B1E0608CC17FDBA23B506E0E31524B00702A311CC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.921{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.Mono.xml2023-01-17 10:34:19.374 23542300x8000000000000000100735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.921{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.Mono.xmlMD5=7E7966F8C5B6AC43AE9FA2B0DBEEC912,SHA256=B1523F8875F244C09EEAF5C2C3487F63E30DF26CB774D5D9F39F8F6279241310,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.902{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.Mono.pdb2023-01-17 10:34:19.374 23542300x8000000000000000100733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.902{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.Mono.pdbMD5=0330B0F7A9B0AE3C0538259F98ACE331,SHA256=AF7B2DFE53D5D8EBC90D1F9B1EF0810C7BABD6D9BFB948B517308E12329A77C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.882{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.xml2023-01-17 10:34:19.359 23542300x8000000000000000100731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.882{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.xmlMD5=CE5852666F219AF8D69C36340615FCB6,SHA256=5A7DDA2E73EFDBF6B28AEC769F806281B5055738330DB9307066A7F8EF2150D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.863{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.pdb2023-01-17 10:34:19.359 23542300x8000000000000000100729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.862{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.pdbMD5=D59044D33333488516B5A8E6DDD9D35A,SHA256=D67C4B7628290E2A372439193E924A872CD28E888FD832C54DE4C8B803CA230F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.843{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.runtimeconfig.json2023-01-17 10:34:19.359 23542300x8000000000000000100727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.843{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.runtimeconfig.jsonMD5=C0BBAE9A92C0004F0E48A1303834A4F1,SHA256=D73D166ED2C36560E74CCD1067673BC17C881D570E09394DDD5EF0FFD3D9E8A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.824{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.pdb2023-01-17 10:34:19.359 23542300x8000000000000000100725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.823{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.pdbMD5=E2C3522EF043AB686DC1E8E0E1AA9EB6,SHA256=86E742E705CADFD203BBEFD835F9F33F692822D92F27F8FD1DAB2A334F6240F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.802{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.deps.json2023-01-17 10:34:19.359 23542300x8000000000000000100723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.802{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Console.deps.jsonMD5=A3C738FE74D13366259A2FFA0F9DCE29,SHA256=627E129D29AA3BF684A808EF67A20EA94567CBB83DE24E8F44B1B46D1558B28F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.780{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.BamlDecompiler.x.pdb2023-01-17 10:34:19.359 23542300x8000000000000000100721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.780{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.BamlDecompiler.x.pdbMD5=3FEB19810A297659965A3018C2714177,SHA256=A08835E1C37CAF60BC550DA1FCF04E44B0CB575B94981964F3CFEC69A84DA549,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.756{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.BamlDecompiler.x.deps.json2023-01-17 10:34:19.359 23542300x8000000000000000100719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.756{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.BamlDecompiler.x.deps.jsonMD5=0F266C640DD82CF581E5E77698E473D6,SHA256=B1F0D979748561988A23C1988E5474BD9883B1289B812F2C2DCAB4530BE79328,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.732{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.AsmEditor.x.pdb2023-01-17 10:34:19.355 23542300x8000000000000000100717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.732{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.AsmEditor.x.pdbMD5=5ABF858EE8FF56B24922F3743FFB3AB5,SHA256=71D25336E343CC44F28FCD31D2CB329F6A8BBE20B67F656907C8F6FE2EE4CBED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.681{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.AsmEditor.x.deps.json2023-01-17 10:34:19.342 23542300x8000000000000000100715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.681{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.AsmEditor.x.deps.jsonMD5=BA4DCE6C4FB79EFFEFC0B8FE87CF666D,SHA256=FAF8C95F8CDBD82EF0BDC1EC36729AE73C6701B605D4BE2CE3E0CAFF057F26E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.658{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Analyzer.x.pdb2023-01-17 10:34:19.339 23542300x8000000000000000100713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.658{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Analyzer.x.pdbMD5=2DA6312BFBD307787C4C9053ACFCFE79,SHA256=75DE42949FEE23ECBDFD59B70BFDFB4DD0731DDA0852ACAD40630F48804FF8F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.634{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\read_it.txt2023-01-17 10:36:30.634 11241100x8000000000000000100711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.631{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Analyzer.x.deps.json2023-01-17 10:34:19.337 23542300x8000000000000000100710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.631{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Analyzer.x.deps.jsonMD5=9F048BA47944A7D017A5AEC1C8C99730,SHA256=527AF06A5106A7DFF682A58611303A29F061E456CD680D9522D4AE74B2283890,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.591{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\OtherLicenses.txt2023-01-17 10:33:00.439 23542300x8000000000000000100708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.591{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\OtherLicenses.txtMD5=E01DE8F65EA7581F8F4B2A55154B9C5D,SHA256=9307F5569A84496ACC8C532EE8ADAA0AC3804B42176E84741743ADEBADDEAE7D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.572{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\LICENSE.txt2023-01-17 10:33:00.439 23542300x8000000000000000100706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.572{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\LICENSE.txtMD5=6E62481BCA4DA045150C5E751387BFDB,SHA256=AABD9E3E68E8236C4B2A1504DF411D258C06463EF214B00681E62E60BB2C4559,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.553{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\GPLv3.txt2023-01-17 10:33:00.438 23542300x8000000000000000100704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.553{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\GPLv3.txtMD5=3C34AFDC3ADF82D2448F12715A255122,SHA256=0B383D5A63DA644F628D99C33976EA6487ED89AAA59F0B3257992DEAC1171E6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.552{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.551{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.532{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\CREDITS.txt2023-01-17 10:33:00.437 23542300x8000000000000000100700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.532{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\CREDITS.txtMD5=0E3C4AF9A19DE3F180DA7AF426D4EDB3,SHA256=1B8C084C8F900CA6597F36FDB0F53753A8A58F72FA7ADFEBE5F60E863901960C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.511{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\read_it.txt2023-01-17 10:36:30.511 11241100x8000000000000000100698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.510{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\ApacheV2.txt2023-01-17 10:33:00.437 23542300x8000000000000000100697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.509{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\LicenseInfo\ApacheV2.txtMD5=D273D63619C9AEAF15CDAF76422C4F87,SHA256=3DDF9BE5C28FE27DAD143A5DC76EEA25222AD1DD68934A047064E56ED2FA40C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.481{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\FileLists\DOTNET Framework v4.0 Client.FileList.xml2023-01-17 10:33:00.295 23542300x8000000000000000100695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.480{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\FileLists\DOTNET Framework v4.0 Client.FileList.xmlMD5=89FEED0B0471C125B6136DD5E8B1BD33,SHA256=93010C11CC6EE44B5C5F2B025C0AE80054F5488C787167D26C93AF0A430BDB9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.460{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\FileLists\read_it.txt2023-01-17 10:36:30.460 11241100x8000000000000000100693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.458{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\FileLists\DOTNET Framework v3.5 Client.FileList.xml2023-01-17 10:33:00.295 23542300x8000000000000000100692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.458{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\FileLists\DOTNET Framework v3.5 Client.FileList.xmlMD5=AB73D16C5B4545A188B9A48969B48629,SHA256=FA14ABF50DB893120DF43B6AD9E05D31B74556FDC546088A4C6EE8A64D1FA7CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.435{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\debug\read_it.txt2023-01-17 10:36:30.434 11241100x8000000000000000100690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.434{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\debug\DotNet.ex.xml2023-01-17 10:33:00.224 23542300x8000000000000000100689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.433{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\debug\DotNet.ex.xmlMD5=A2B6052844B6D57BF393E5F96C5ED6C2,SHA256=E3E070BD833AADB481BB260111218886A1C78582AE2CCDBCADF49EE31F93E38E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.392{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\Mono.Debugger.Soft.pdb2023-01-17 10:32:58.946 23542300x8000000000000000100687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.392{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\Mono.Debugger.Soft.pdbMD5=4DC729FCB70C2F3EE3481378062D2386,SHA256=19AD81F1D70BFC7C97CF64827943B83C96CD18D63C9CD8DE2DF7EBE88F2114D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.366{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.pdb2023-01-17 10:32:58.812 23542300x8000000000000000100685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.366{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.pdbMD5=66FC5402D0A3D8893000CA74F9A74062,SHA256=A043EDEA1564FDBA7AF74EE80EF34AC0B9378928AAA882C498039999AEFEF573,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.342{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.pdb2023-01-17 10:32:58.727 23542300x8000000000000000100683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.341{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.pdbMD5=E6BA2B73DC9FE32530AE71244E46E973,SHA256=2647DCE331BB64C0044FCF4B3E612FA1C918F099CEB88EF2B66E3F06D1332E5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.320{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.pdb2023-01-17 10:32:58.676 23542300x8000000000000000100681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.320{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.pdbMD5=9DA97AD4EEA5E28207EDD91F7DAC2840,SHA256=67F72FDA5E843510452C17B29CCDFF406F6349C03683B613C8D1E8F23191F32E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.297{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.TreeView.pdb2023-01-17 10:32:58.622 23542300x8000000000000000100679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.297{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.TreeView.pdbMD5=2EC501F63098FD10568B9145136DE133,SHA256=FB76A00917887F59DE2629F4113F151EAE196CD26D1905867D3BFD4F6E1AB73E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.274{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.VB.pdb2023-01-17 10:32:58.618 23542300x8000000000000000100677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.274{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.VB.pdbMD5=DE69EE5260C0E9CAFF23F931E9BF05DF,SHA256=3C1DC74CFF70A7D32145E6BD8E0302781EE489848C0015FA7DF5F6DD8FA3EF5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.246{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.pdb2023-01-17 10:32:58.614 23542300x8000000000000000100675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.246{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.pdbMD5=FF9CEC669CB273E5F3E3BC0549EE2673,SHA256=701A8A5C4757B8CDA12DE46D644B432C81679A69B11DDAD0E36241EDF4317166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.216{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.216{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.CSharp.pdb2023-01-17 10:32:58.608 23542300x8000000000000000100672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.215{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.CSharp.pdbMD5=DC510F6F8DFF3FF243DDC66A86F33187,SHA256=8CDA83D87D470D86F1EC81C9E55DA95BA25C4B4F474807E11B2340D2C7811605,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.213{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.207{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.195{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.173{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.Decompiler.pdb2023-01-17 10:32:58.598 23542300x8000000000000000100667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.173{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.Decompiler.pdbMD5=734E5A2C4459BAFDD2482BD15F14F4D0,SHA256=7A304F2FD135078E6176C436D69C56A2F7CD60E987043D90B83159DA578DE21C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.139{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.pdb2023-01-17 10:32:58.566 23542300x8000000000000000100665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.139{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.pdbMD5=099D253989389EFB16558D5ADE97AF73,SHA256=1266482D5D5C38E527F23AB5457AE043EDED833B77CCAFD53275C4B61BE4306F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.116{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.deps.json2023-01-17 10:32:58.562 23542300x8000000000000000100663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.116{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.deps.jsonMD5=0D7528E912232BCB636D9A837F226FB9,SHA256=83527DF1573683DDBAA418D92673D697089CD40EE52D4BEE8A9A3BDDE7F74E67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.084{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.runtimeconfig.json2023-01-17 10:32:58.562 23542300x8000000000000000100661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.083{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.runtimeconfig.jsonMD5=C0BBAE9A92C0004F0E48A1303834A4F1,SHA256=D73D166ED2C36560E74CCD1067673BC17C881D570E09394DDD5EF0FFD3D9E8A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.062{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.xml2023-01-17 10:32:58.562 23542300x8000000000000000100659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.062{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.xmlMD5=DA26BAB606EEBD4EA7F4F7A7FFB53D59,SHA256=EE8D91ECF6B23AEDF2F4F2FE29FBE638559F40C4D970AE71D9F360598A2CDF13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.041{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.Internal.pdb2023-01-17 10:32:58.560 23542300x8000000000000000100657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.040{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.Internal.pdbMD5=9525CF9BD149F8536D9E67CD864A76AA,SHA256=DEE88794412B4501272EE358DC0D1027CCAE4FC1D8B719F48D1A70EDB1F484F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.020{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.pdb2023-01-17 10:32:58.558 23542300x8000000000000000100655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.019{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.pdbMD5=FDC71E92B29D328A57DE3E677B677B87,SHA256=AE50096AE35EE98DACCAE30E6A1A69A40286FFB201038C6AE70587382FB53DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:31.935{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED35DBECFCC465F0E37547A6232BE7D,SHA256=472712E32FF82D0CD136D2247F1C50A00662562B0CB8D009E2949F8D7FEB23D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.996{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.Internal.pdb2023-01-17 10:34:19.518 23542300x8000000000000000100847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.993{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.Internal.pdbMD5=7DE1D23692D54AACFEAA933B5CE0F059,SHA256=1847B868853D3DC5F4AD6D5AEB08C7F2A6CA8E05BE04976079E891EB47BF81D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.971{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.EditorFeatures.pdb2023-01-17 10:34:19.515 23542300x8000000000000000100845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.971{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.EditorFeatures.pdbMD5=8C9FAE659F70654C4CC0316B145FE30F,SHA256=8481113D741992FA45C33212D69983C1C5447F07148123862E7E7E51551D1528,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.950{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.CSharp.Internal.pdb2023-01-17 10:34:19.509 23542300x8000000000000000100843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.950{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.CSharp.Internal.pdbMD5=5529A408CAFF1769B7BC3F56FEA24812,SHA256=AE52495BAA7A691DA66A745E3F7645C888664B2AABE05D0F6DD0F5623E063CAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.929{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.CSharp.EditorFeatures.pdb2023-01-17 10:34:19.507 23542300x8000000000000000100841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.929{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.CSharp.EditorFeatures.pdbMD5=392AE708B3C632893F8244C5536F7847,SHA256=59F0468B3C63537B895EECB2EE7AA2AE98B16FED037825D72D2BB78AFF6525CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.902{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.pdb2023-01-17 10:34:19.492 23542300x8000000000000000100839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.902{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.pdbMD5=BF4656272A1680C4D3CB17D10C0105A1,SHA256=34F8AB6940D4DDA3DA92ADF0CE0CAB1E16B7D66BE350AD640A7D4BD57BEA4F1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.799{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Images.pdb2023-01-17 10:34:19.492 23542300x8000000000000000100837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.799{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Images.pdbMD5=568433F31D561DB2DBC41BA2C01AB122,SHA256=E0F9B6E0B294FA9C85603974A83176FCFB8C3ACF8B4F793FCBEDBD45A2CF6209,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.779{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.deps.json2023-01-17 10:34:19.445 23542300x8000000000000000100835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.779{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.deps.jsonMD5=C5EBAE728E2F6D81EBB2811311491990,SHA256=C30990252F79F8A94C56CE5AF663ACF1333C34A4DD2C8ABD199C82C684A45408,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.747{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.pdb2023-01-17 10:34:19.445 23542300x8000000000000000100833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.747{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.pdbMD5=C9565685378D27E2A983CDE23FC7CC7B,SHA256=93433D8CFEA83D207F335F47EBFA11988E1FC3792C1640D797DE334E64C1C08D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.720{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.x.pdb2023-01-17 10:34:19.445 23542300x8000000000000000100831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.720{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.x.pdbMD5=61D8A1D551FDB9388BA156A4268BF26D,SHA256=5B50DB60CD9298C5A409B5115C1CB5648C58A710C53189D0805C82B98948EE0E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.699{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.x.deps.json2023-01-17 10:34:19.445 23542300x8000000000000000100829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.699{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.x.deps.jsonMD5=F471A5124354926A1A7D6B0408933957,SHA256=B7847DF0F2EF70ADCF7AE196AB4E651533EB36727271A40BDBC789B3B12D159F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.675{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.Core.pdb2023-01-17 10:34:19.445 23542300x8000000000000000100827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.675{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Decompiler.ILSpy.Core.pdbMD5=66581A97A63797D3978A399734CD02D5,SHA256=5E67A1EABFA5BD1888F290149E159CF1CCC9B4D582B35CF8789983CAA0AC1600,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.652{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.x.pdb2023-01-17 10:34:19.445 23542300x8000000000000000100825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.652{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.x.pdbMD5=6586C4B6072AE9E9F69D7BF9CCB67BBF,SHA256=4B74B26E3E3D6F8D5ED87C82A27393B8E243E2EEBD46D2D3CE5EFCBA562DE9A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.603{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.x.deps.json2023-01-17 10:34:19.431 23542300x8000000000000000100823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.603{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.x.deps.jsonMD5=C24751A62F93BE6930363EE6D7C63344,SHA256=CE4EF5436EA71FF0D8E40B44D34CDD55AC980C8E8FF64867201CB376B7F155D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.580{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.x.pdb2023-01-17 10:34:19.431 23542300x8000000000000000100821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.580{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.x.pdbMD5=FA928C5972BC927698E13D0EDBA49549,SHA256=4F230BB0BFAAC8030C70234353A2971EA78872A4FF94D4E8268BFD524D011383,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.551{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.x.deps.json2023-01-17 10:34:19.431 23542300x8000000000000000100819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.551{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.x.deps.jsonMD5=9F25BC7160D6E6629C6C25881607FFF9,SHA256=B9CE65C4F09163244C1233C7D7C5DA01A5902785505F64086F6AF441562A5B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.539{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-054MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.538{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0542023-01-17 10:36:31.537 11241100x8000000000000000100816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.536{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0552023-01-17 10:36:31.536 11241100x8000000000000000100815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.536{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.536{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E1024A05B3C16BE129825016698932,SHA256=C93C67CD42B4E07E2DFA82D9C49845BE2274C3B3332F371826D5F7B2CFB0F0C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.523{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Mono.x.pdb2023-01-17 10:34:19.415 23542300x8000000000000000100812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.523{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Mono.x.pdbMD5=2BE5EAC4FEF0CB8C9A04A4C37D56C31A,SHA256=441B1310911508F5A63C19E293993E47A73F03EBD35A834E61011EA985B0B2C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.497{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Mono.x.deps.json2023-01-17 10:34:19.415 23542300x8000000000000000100810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.497{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Mono.x.deps.jsonMD5=CE5EB57A4256A16176BE8D92CB9BF4E3,SHA256=235F08B9D4173E115F514EED0F6EA4134FD1FAD98A29A3908112932E39EB21C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.472{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Metadata.xml2023-01-17 10:34:19.415 23542300x8000000000000000100808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.472{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Metadata.xmlMD5=E6AFCA2F3ACEC02484877E9091A19C2F,SHA256=E3EC492F3715E875E47B291B5EF49370E4A004AE2FF68E88186A3701E7670159,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.432{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Metadata.pdb2023-01-17 10:34:19.415 23542300x8000000000000000100806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.429{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Metadata.pdbMD5=9707E5BF53373A5805139D7E44CB7C6B,SHA256=09B3B5C75B281EA2BD51CBE02CB81756C7FC8F5C59D53A78213E84A5E3A31663,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.399{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Interpreter.xml2023-01-17 10:34:19.415 23542300x8000000000000000100804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.399{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Interpreter.xmlMD5=059A3124E76E32F2F7528366E9B20433,SHA256=40E2B57FA18258F9C5769C914CCF38CFBEAFB6D75B8F994BA7891FAA4BE80731,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.372{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Interpreter.pdb2023-01-17 10:34:19.415 23542300x8000000000000000100802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.372{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.Interpreter.pdbMD5=0EBBB8E09931176318A336ED0DBFB8F5,SHA256=1172313DE45E47B5D6CC2835743B1A83C6B01A462B6AEB48539C38AB623852FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.351{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.CorDebug.x.pdb2023-01-17 10:34:19.412 23542300x8000000000000000100800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.351{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.CorDebug.x.pdbMD5=F68C2697121A3A0D0607A253A1550EE6,SHA256=6B2B25A8B17D42A1913DE3E073F508A3077CFC021A5F62C4CFC46A9396B9E2D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.314{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.CorDebug.x.deps.json2023-01-17 10:34:19.405 23542300x8000000000000000100798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.314{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Debugger.DotNet.CorDebug.x.deps.jsonMD5=627CE81FE850BF71E6883D7864A8E513,SHA256=93E412614334C594B7B0447E1E9F69CE901DCDC062CC296A2C2BB1D96E2270C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.291{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Logic.xml2023-01-17 10:34:19.404 23542300x8000000000000000100796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.290{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Logic.xmlMD5=0B62386C2238C2FBABEBAA69DAE2FF4C,SHA256=33FDA0EE7AC15BF11A83CDE235FCFF8229FEB193945D41798A69F971D872F4F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.272{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.269{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.267{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.265{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.263{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.260{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.258{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.256{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.255{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Logic.pdb2023-01-17 10:34:19.388 23542300x8000000000000000100786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.254{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Logic.pdbMD5=5799E503F4C7ED6DA36CD1F6190CE0D2,SHA256=16D34A2808D5A0273EEA930AC06685A4A88E4CA0768C3D95DE4E8EFF880F852D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.253{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.249{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.246{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.235{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.233{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.230{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.228{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.226{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.DnSpy.xml2023-01-17 10:34:19.388 23542300x8000000000000000100777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.226{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.DnSpy.xmlMD5=1B45548C71A6C88CA4878A029412F4AA,SHA256=DBAB17022644D59DDC1E4EF029A8C3E4D21982F824ADA1D4D58F2951F8A5C59B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.224{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.222{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.219{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.217{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.210{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.208{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.180{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.178{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.177{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.177{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.177{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x8000000000000000100765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.176{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.176{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.161{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.148{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.140{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.116{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.DnSpy.pdb2023-01-17 10:34:19.388 23542300x8000000000000000100759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.115{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.DnSpy.pdbMD5=CFD22ACD47EC42DA2364C0566C047ED7,SHA256=4A0E0B0E853FE99588D1B24F8F3C2476477BA757535EC021D11BFB1C5143DF51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.098{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.092{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.076{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.072{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.071{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.xml2023-01-17 10:34:19.374 23542300x8000000000000000100753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.070{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Contracts.Debugger.xmlMD5=E8D42A76E5CC5B47E133942DEF4A39C9,SHA256=446228E59AD01EAA3C60FE03AE5A7464AB6F3434A64ED72664057B3718C8D436,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.070{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.068{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.064{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.062{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.060{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.059{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.057{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000100745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.056{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000100744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.014{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:31.014{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18DAFC0EA3DCBA629F323839686B606,SHA256=590043B4EC35EF64FBDA7AEF88E980E15B361263317F24F2B69776BAD554E6A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.981{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\pkcs11.txt2023-01-17 10:32:24.361 23542300x8000000000000000100930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.980{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\pkcs11.txtMD5=0B94D2913639D019C9E20611503B16B1,SHA256=275237F12750458E7754B095E19C5E23CF3690DABC42C7FA90D49248A167E567,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.931{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\handlers.json2023-01-17 10:32:26.283 23542300x8000000000000000100928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.931{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\handlers.jsonMD5=E7A65C5EAD519A7B802F991353C26D3D,SHA256=0E5CE92485DA953757F615BAD034A43032B220DA18F8165DD85347851B56B2D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.910{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\extensions.json2023-01-17 10:32:25.026 23542300x8000000000000000100926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.910{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\extensions.jsonMD5=0E65A56B25B7062523DB78871F410791,SHA256=C92FEB0BF95C688E8AD8D31F896C785DFC8482520EAB9723BF828CBE1A041E92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.292{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64572-false10.0.1.12-8089- 354300x8000000000000000100924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:30.256{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64571-false10.0.1.12-8000- 11241100x8000000000000000100923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.891{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\extension-preferences.json2023-01-17 10:32:26.277 23542300x8000000000000000100922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.891{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\extension-preferences.jsonMD5=AE847CBF837F2442924326B0E1DA512A,SHA256=1D48A03B907EA8C2412AB0DEA238ABCD1C7BA686DC1CAC155EC55A598F0533F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.870{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\ExperimentStoreData.json2023-01-17 10:32:27.160 23542300x8000000000000000100920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.870{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\ExperimentStoreData.jsonMD5=66EADFCA79DC76450AE84A48419CCACF,SHA256=8AEA61D657EF0C92A38E5C686729C6036033239B3195841200CFAFF0371DB868,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.852{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\containers.json2023-01-17 10:32:27.304 23542300x8000000000000000100918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.852{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\containers.jsonMD5=94A3843FAD8C45C48B0E07342DF3DFDC,SHA256=854FF2076F71097B030C302A1EA71D8E851D2920B9FF5FC8DC8F16C91BA95B72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.831{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\compatibility.ini2023-01-17 10:32:23.392 23542300x8000000000000000100916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.831{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\compatibility.iniMD5=54524FDF23DE2E0BD54CFCE628593B0D,SHA256=23F78649AE34D5267FF49EB3EF6262F868673A7A1FC1DA25556D750419C3886F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.792{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\read_it.txt2023-01-17 10:36:32.792 11241100x8000000000000000100914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.792{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\addons.json2023-01-17 10:32:25.027 23542300x8000000000000000100913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.792{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\addons.jsonMD5=3088F0272D29FAA42ED452C5E8120B08,SHA256=D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.774{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini2023-01-17 10:32:23.392 23542300x8000000000000000100911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.774{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.iniMD5=F7087ECA33F3D9E87570401D73657145,SHA256=B12FE29406DFE7A28EEA16739128A5D4AE48DF5FE732FCFF7ED468CA2A2F97E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.755{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\read_it.txt2023-01-17 10:36:32.755 11241100x8000000000000000100909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.755{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\installs.ini2023-01-17 10:32:23.392 23542300x8000000000000000100908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.752{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\installs.iniMD5=8CCF2435DC569F23EEEC23C1081758FD,SHA256=129C423F563A7CB1FAEE97555F8EA57E1125F3BDFAEBD50343EE71D711BBFE8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.717{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg2023-01-17 10:20:09.861 23542300x8000000000000000100906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.717{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=3B37B17DD4BC1D9C070AC93AFEB23B60,SHA256=2FE4AE0E40D226A883EBE437B2CAEEC0919AE2AC18D5D4CE1A98D729D84EBB31,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.682{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\dnSpy\read_it.txt2023-01-17 10:36:32.682 11241100x8000000000000000100904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.682{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\dnSpy\dnSpy.xml2023-01-17 10:34:03.220 23542300x8000000000000000100903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.681{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\dnSpy\dnSpy.xmlMD5=4BB26B0904BDA7D8DBE3F7CA0E2CDE68,SHA256=9FCA127A1C05B8508047BDC2BE5075B90C84503AA24DCCB288599AA617D4C0E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.625{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\OtherLicenses.txt2023-01-17 10:34:21.478 23542300x8000000000000000100901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.622{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\OtherLicenses.txtMD5=E01DE8F65EA7581F8F4B2A55154B9C5D,SHA256=9307F5569A84496ACC8C532EE8ADAA0AC3804B42176E84741743ADEBADDEAE7D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.605{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\LICENSE.txt2023-01-17 10:34:21.478 23542300x8000000000000000100899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.605{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\LICENSE.txtMD5=6E62481BCA4DA045150C5E751387BFDB,SHA256=AABD9E3E68E8236C4B2A1504DF411D258C06463EF214B00681E62E60BB2C4559,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.586{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\GPLv3.txt2023-01-17 10:34:21.478 23542300x8000000000000000100897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.586{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\GPLv3.txtMD5=3C34AFDC3ADF82D2448F12715A255122,SHA256=0B383D5A63DA644F628D99C33976EA6487ED89AAA59F0B3257992DEAC1171E6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.554{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\CREDITS.txt2023-01-17 10:34:21.477 23542300x8000000000000000100895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.554{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\CREDITS.txtMD5=0E3C4AF9A19DE3F180DA7AF426D4EDB3,SHA256=1B8C084C8F900CA6597F36FDB0F53753A8A58F72FA7ADFEBE5F60E863901960C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.538{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-055MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.534{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\read_it.txt2023-01-17 10:36:32.534 11241100x8000000000000000100892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.533{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\ApacheV2.txt2023-01-17 10:34:21.476 23542300x8000000000000000100891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.533{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\LicenseInfo\ApacheV2.txtMD5=D273D63619C9AEAF15CDAF76422C4F87,SHA256=3DDF9BE5C28FE27DAD143A5DC76EEA25222AD1DD68934A047064E56ED2FA40C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.503{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\FileLists\DOTNET Framework v4.0 Client.FileList.xml2023-01-17 10:34:21.350 23542300x8000000000000000100889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.502{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\FileLists\DOTNET Framework v4.0 Client.FileList.xmlMD5=89FEED0B0471C125B6136DD5E8B1BD33,SHA256=93010C11CC6EE44B5C5F2B025C0AE80054F5488C787167D26C93AF0A430BDB9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.484{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\FileLists\read_it.txt2023-01-17 10:36:32.483 11241100x8000000000000000100887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.482{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\FileLists\DOTNET Framework v3.5 Client.FileList.xml2023-01-17 10:34:21.349 23542300x8000000000000000100886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.481{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\FileLists\DOTNET Framework v3.5 Client.FileList.xmlMD5=AB73D16C5B4545A188B9A48969B48629,SHA256=FA14ABF50DB893120DF43B6AD9E05D31B74556FDC546088A4C6EE8A64D1FA7CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.456{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\debug\read_it.txt2023-01-17 10:36:32.456 11241100x8000000000000000100884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.456{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\debug\DotNet.ex.xml2023-01-17 10:34:21.275 23542300x8000000000000000100883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.456{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\debug\DotNet.ex.xmlMD5=A2B6052844B6D57BF393E5F96C5ED6C2,SHA256=E3E070BD833AADB481BB260111218886A1C78582AE2CCDBCADF49EE31F93E38E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.414{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Mono.Debugger.Soft.pdb2023-01-17 10:34:19.883 23542300x8000000000000000100881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.414{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Mono.Debugger.Soft.pdbMD5=4DC729FCB70C2F3EE3481378062D2386,SHA256=19AD81F1D70BFC7C97CF64827943B83C96CD18D63C9CD8DE2DF7EBE88F2114D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.388{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.pdb2023-01-17 10:34:19.745 23542300x8000000000000000100879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.388{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.pdbMD5=66FC5402D0A3D8893000CA74F9A74062,SHA256=A043EDEA1564FDBA7AF74EE80EF34AC0B9378928AAA882C498039999AEFEF573,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.364{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.pdb2023-01-17 10:34:19.677 23542300x8000000000000000100877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.364{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.pdbMD5=E6BA2B73DC9FE32530AE71244E46E973,SHA256=2647DCE331BB64C0044FCF4B3E612FA1C918F099CEB88EF2B66E3F06D1332E5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.343{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.pdb2023-01-17 10:34:19.632 23542300x8000000000000000100875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.343{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.pdbMD5=9DA97AD4EEA5E28207EDD91F7DAC2840,SHA256=67F72FDA5E843510452C17B29CCDFF406F6349C03683B613C8D1E8F23191F32E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.319{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.TreeView.pdb2023-01-17 10:34:19.570 23542300x8000000000000000100873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.319{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.TreeView.pdbMD5=2EC501F63098FD10568B9145136DE133,SHA256=FB76A00917887F59DE2629F4113F151EAE196CD26D1905867D3BFD4F6E1AB73E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.298{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.VB.pdb2023-01-17 10:34:19.570 23542300x8000000000000000100871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.298{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.VB.pdbMD5=DE69EE5260C0E9CAFF23F931E9BF05DF,SHA256=3C1DC74CFF70A7D32145E6BD8E0302781EE489848C0015FA7DF5F6DD8FA3EF5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.274{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.pdb2023-01-17 10:34:19.570 23542300x8000000000000000100869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.271{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.pdbMD5=FF9CEC669CB273E5F3E3BC0549EE2673,SHA256=701A8A5C4757B8CDA12DE46D644B432C81679A69B11DDAD0E36241EDF4317166,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.238{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.CSharp.pdb2023-01-17 10:34:19.568 23542300x8000000000000000100867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.238{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.NRefactory.CSharp.pdbMD5=DC510F6F8DFF3FF243DDC66A86F33187,SHA256=8CDA83D87D470D86F1EC81C9E55DA95BA25C4B4F474807E11B2340D2C7811605,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.199{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.Decompiler.pdb2023-01-17 10:34:19.560 23542300x8000000000000000100865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.199{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\ICSharpCode.Decompiler.pdbMD5=734E5A2C4459BAFDD2482BD15F14F4D0,SHA256=7A304F2FD135078E6176C436D69C56A2F7CD60E987043D90B83159DA578DE21C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.165{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Scripting.Roslyn.x.pdb2023-01-17 10:34:19.527 23542300x8000000000000000100863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.165{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Scripting.Roslyn.x.pdbMD5=DC580B6385E464E433BAAC7874390135,SHA256=40ADE2943D71653E61429C5A5CA042218B726153C339079EE0F437331E6B6D60,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.141{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Scripting.Roslyn.x.deps.json2023-01-17 10:34:19.525 23542300x8000000000000000100861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.141{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Scripting.Roslyn.x.deps.jsonMD5=11ADAFB27E3F7C9C2653F9C2EAED08FD,SHA256=97CA128D8A36E66464A4E68C24D399548651F8C52C6FFA4121577DEEB3A74A37,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.108{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.runtimeconfig.json2023-01-17 10:34:19.524 23542300x8000000000000000100859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.108{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.runtimeconfig.jsonMD5=C0BBAE9A92C0004F0E48A1303834A4F1,SHA256=D73D166ED2C36560E74CCD1067673BC17C881D570E09394DDD5EF0FFD3D9E8A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.088{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.xml2023-01-17 10:34:19.523 23542300x8000000000000000100857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.088{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.xmlMD5=DA26BAB606EEBD4EA7F4F7A7FFB53D59,SHA256=EE8D91ECF6B23AEDF2F4F2FE29FBE638559F40C4D970AE71D9F360598A2CDF13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.068{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.VisualBasic.Internal.pdb2023-01-17 10:34:19.523 23542300x8000000000000000100855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.068{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.VisualBasic.Internal.pdbMD5=9525CF9BD149F8536D9E67CD864A76AA,SHA256=DEE88794412B4501272EE358DC0D1027CCAE4FC1D8B719F48D1A70EDB1F484F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.056{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.056{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072431F259011D34EA26A91158913E46,SHA256=CFD92C9A3119E735E6048663EA3F21D0916557BEF9145BD876B40D6F716BE5EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.044{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.pdb2023-01-17 10:34:19.522 23542300x8000000000000000100851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.044{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.pdbMD5=FDC71E92B29D328A57DE3E677B677B87,SHA256=AE50096AE35EE98DACCAE30E6A1A69A40286FFB201038C6AE70587382FB53DF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.023{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.pdb2023-01-17 10:34:19.518 23542300x8000000000000000100849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:32.023{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\dnSpy.Roslyn.pdbMD5=8969C45D7977F33CA436D48C8EEF5C57,SHA256=4115BB998BA008AA110863AEEA120E2469A5CD72FCCF3EDD346DD6A6978D876B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.421{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.390{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.362{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.347{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.315{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.271{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.269{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.267{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.264{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.261{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.255{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.247{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.238{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.233{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.231{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.220{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.210{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.171{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.159{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.142{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.131{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.126{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.113{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.097{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.090{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.087{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 23542300x800000000000000070182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:33.015{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A85E7866CAA0C5E58D8823AF23A7FB3,SHA256=51D61BB456A8C323AD189E8A2311F0239FF9387161D4A2E21150D15B92A6D3C6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.988{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x8000000000000000101433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.987{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000101432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.974{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000101431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.974{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000101430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.964{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000101429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.928{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046,IMPHASH=563B6F147961D943E0261E05EAD94B56trueMicrosoft WindowsValid 734700x8000000000000000101428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.958{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x8000000000000000101427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.895{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000101426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.949{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x8000000000000000101425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.883{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\mmcndmgr.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Node Manager DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcndmgr.dllMD5=DDDF9C3B3B4CCFAAD35BA49B0864608F,SHA256=A8EE05699A2CE04D63D078C33A397ABE8D90AE6BC5F0156230620615B13A2F8B,IMPHASH=51AD9533DC3E1E0CFCFEECD129A51944trueMicrosoft WindowsValid 734700x8000000000000000101424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.934{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x8000000000000000101423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.925{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x8000000000000000101422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.919{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000101421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.843{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x8000000000000000101420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.910{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=3737D7B3A07BD11A31CD91B11F7EBA46,SHA256=528C1810C991DD93FA25D6A67A1415BC0A189189AEE0A62C0C79A43AA594E978,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x8000000000000000101419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.901{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000101418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.898{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x8000000000000000101417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.819{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 734700x8000000000000000101416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.885{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\msxml6.dll6.30.14393.5648MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=B82E1559DD59365F9C56E23434DA4FB6,SHA256=BA153BC8608EBE74778B362FFDA7805C7871199D6C9BD6819DC0239E84009900,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x8000000000000000101415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.810{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\mfc42u.dll6.06.8063.0MFCDLL Shared Library - Retail VersionMicrosoft (R) Visual C++Microsoft CorporationMFC42.DLLMD5=DD361EE0A665F41783E02CEA20285E61,SHA256=457BF44CC1BE99FD74983178AC34E83AEC2ED73DFEE9F9FC7F5F501AD8A6D03B,IMPHASH=5407FE666C5FCACC20F969C8CE05D993trueMicrosoft WindowsValid 11241100x8000000000000000101414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.855{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.855{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB234953A90096801CF223EB1727209F,SHA256=F169FCCB1873EFAD776B289B75A8514CAC632EB37F610E9F0FC688ADD7559C20,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.852{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000101411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.852{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000101410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.852{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000101409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.852{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000101408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.852{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000101407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.846{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000101406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.846{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.846{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000101404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.846{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000101403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.846{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000101402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.846{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000101401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.843{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000101400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.807{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\mmcbase.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcbase.dllMD5=1C8D01FA2F46DA43580F66690E59F942,SHA256=24E48F93B6050D9DA4D1B93D07FCEA7F15AF8142BA8F4B8CFEF19FA670EB5B4E,IMPHASH=3A0957E0E673BE892DE6FEF53C3A2C7BtrueMicrosoft WindowsValid 734700x8000000000000000101399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.792{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exeMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9FtrueMicrosoft WindowsValid 734700x8000000000000000101398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.822{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000101397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.819{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x8000000000000000101396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.819{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000101395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.810{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.810{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000101393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.810{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000101392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.807{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x8000000000000000101391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.807{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000101390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.807{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000101389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.792{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000101388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.807{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.807{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.798{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000101385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.798{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.798{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.798{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000101382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.795{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.795{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.795{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.791{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 734700x8000000000000000101378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.795{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.795{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.795{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.792{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.792{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.792{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 10341000x8000000000000000101372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.788{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.788{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.788{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.788{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.765{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\wbadmin.msc" delete catalog -quietC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet 734700x8000000000000000101367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.754{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000101366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.760{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000101365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.759{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x8000000000000000101364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.753{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000101363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.757{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.757{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.756{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000101360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.753{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000101359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.753{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 10341000x8000000000000000101358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.744{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.742{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x8000000000000000101356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.732{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000101355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.729{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.728{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000101353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.727{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000101352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.726{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.726{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.726{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000101349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.724{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000101348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.722{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000101347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.720{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000101346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.718{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000101345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.718{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000101344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.717{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.717{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.710{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\cmdext.dll10.0.14393.0 (rs1_release.160715-1616)cmd.exe Extension DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCmdExt.DLLMD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5FtrueMicrosoft WindowsValid 734700x8000000000000000101341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.717{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.716{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.716{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.716{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000101337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.715{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.715{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000101335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.714{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000101334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.713{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.712{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000101332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.712{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.712{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.712{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000101329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.711{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000101328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.711{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000101327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.704{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.701{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000101325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.698{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000101324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.696{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000101323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.692{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.692{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.692{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000101320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.690{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000101319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.690{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.690{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000101317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.689{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000101316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.689{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000101315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.689{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000101314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.689{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000101313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.688{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000101312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.688{F172AD64-7A31-63C6-C502-00000000B002}71804432C:\Windows\system32\conhost.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.686{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000101310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.686{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.685{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000101308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.685{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.685{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000101306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.684{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.683{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x8000000000000000101304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.683{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x8000000000000000101303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.683{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x8000000000000000101302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.683{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000101301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x8000000000000000101299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000101298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x8000000000000000101297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000101293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.682{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.659{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\System32\bcdedit.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000101291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.681{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.681{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000101289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.680{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000101288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.679{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000101287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.679{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.679{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.678{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.678{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000101283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.677{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.676{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.648{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\System32\bcdedit.exeC:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exeMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6trueMicrosoft WindowsValid 734700x8000000000000000101280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.676{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.656{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\System32\bcdedit.exeC:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exeMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6trueMicrosoft WindowsValid 734700x8000000000000000101278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.675{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.675{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000101276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.675{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.675{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.675{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.675{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.674{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.674{F172AD64-7A1A-63C6-AF02-00000000B002}81526308C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|UNKNOWN(00007FFF75F42EEF) 154100x8000000000000000101270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.674{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quietC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x8000000000000000101269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.674{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.578{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\vsswmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI Provider for VSSMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSPROV.DLLMD5=74CBE3C22A64B107AFED820F00B9C98F,SHA256=F907E0CFD0B7B27BCF2D8D5C0D6E4C8E1B962E96C6D611A54B6E6877FDEA8130,IMPHASH=0CACD7A3A6C4A27F7C061428AA9D4886trueMicrosoft WindowsValid 734700x8000000000000000101267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.658{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\System32\bcdedit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000101266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.658{F172AD64-7A31-63C6-C102-00000000B002}48448040C:\Windows\system32\conhost.exe{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.657{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\System32\bcdedit.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.657{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\System32\bcdedit.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.656{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\System32\bcdedit.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000101262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.656{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.656{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.656{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.656{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.655{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.655{F172AD64-7A31-63C6-C002-00000000B002}72885808C:\Windows\System32\cmd.exe{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.656{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} recoveryenabled noC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 734700x8000000000000000101255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.566{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 10341000x8000000000000000101254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.655{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-C302-00000000B002}6504C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.652{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\System32\bcdedit.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000101252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.651{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\System32\bcdedit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000101251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.651{F172AD64-7A31-63C6-C102-00000000B002}48448040C:\Windows\system32\conhost.exe{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.650{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\System32\bcdedit.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.649{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\System32\bcdedit.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.649{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\System32\bcdedit.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000101247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.648{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.648{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.648{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.648{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.648{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.647{F172AD64-7A31-63C6-C002-00000000B002}72885808C:\Windows\System32\cmd.exe{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.644{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 10341000x8000000000000000101240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.644{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-C202-00000000B002}2324C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.642{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.642{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2566C5C2BD661EEE72FD3DFE95DE84D,SHA256=8DFBEEC485E15BAEB43070FFBE3D956F7DEA952CF71D7E2D5BF9ADE0A73B45A7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.640{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.556{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x8000000000000000101235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.637{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000101234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.635{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000101233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.633{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x8000000000000000101232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.547{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wininet.dll11.00.14393.5582 (rs1_release.221130-1719)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB2C069BBC0C6F01FCF8B8CC33B759F3,SHA256=20A51841566FBBADEE3D80FA2A5BCA22125CB60AB48D8C07868A0E104557D017,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 10341000x8000000000000000101231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.629{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.629{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.629{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000101228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.627{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000101227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.627{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.627{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000101225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.627{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000101224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.626{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000101223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.626{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000101222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.626{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000101221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.625{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000101220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.625{F172AD64-7A31-63C6-C102-00000000B002}48448040C:\Windows\system32\conhost.exe{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.622{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x8000000000000000101218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.622{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 23542300x8000000000000000101217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.622{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA26B0E74A88B49926ACDEF772D096A,SHA256=EDCCBBDAA7424C03EA9FE0AE96813DD18F63074D6882C85035A23F5FE115A10C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.621{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.621{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000101214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.621{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.620{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000101212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.620{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000101211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.617{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.617{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.616{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.616{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.616{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.615{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000101205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.615{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.615{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.614{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000101202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.613{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 11241100x8000000000000000101201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.613{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 10341000x8000000000000000101200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.613{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000101199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.613{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E020C6DA6E65FC9E422E3EFEDB51881,SHA256=136EB76FE999CABA995DC920D83203767DC7C0ABBD4611474CCCA6F19AAE61F5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.612{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 11241100x8000000000000000101197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.612{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 734700x8000000000000000101196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.612{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 23542300x8000000000000000101195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.612{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=011A8E59A31F0B1AB9F95142E16AFB6A,SHA256=926E65AEDB3D057A20FF2C546AB598537E06C451E9E72A6F5028FAFF4E0C56F9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.611{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.611{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000101192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.610{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-C102-00000000B002}4844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.609{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.609{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.607{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.607{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000101187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.607{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.607{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.607{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.607{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.606{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.606{F172AD64-7A1A-63C6-AF02-00000000B002}81527736C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|UNKNOWN(00007FFF75F42EEF) 154100x8000000000000000101181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.606{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x8000000000000000101180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.606{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-C002-00000000B002}7288C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.585{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x8000000000000000101178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.579{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x8000000000000000101177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.579{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 734700x8000000000000000101176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.507{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msxml3.dll8.110.14393.5127MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=9D77BBEA5D618AC8D5218553D30E51FF,SHA256=E3B966541623884A78A09EA6D36269853B31FE31FB6DF90B48080F13E006F5DC,IMPHASH=A80F24725C5C87DCE74AE4F927273077trueMicrosoft WindowsValid 10341000x8000000000000000101175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.574{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.574{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.574{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.489{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x8000000000000000101171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.550{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x8000000000000000101170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.550{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.550{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.549{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000101167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.548{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000101166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.478{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 734700x8000000000000000101165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326EtrueMicrosoft WindowsValid 734700x8000000000000000101164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.461{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\mfcsubs.dll2001.12.10941.16384 (rs1_release.160715-1616)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationMFCSUBS.DLLMD5=5E86F41BCF9EA6B3527D273217C4D4A7,SHA256=8DC0AB5F336FE8DF2FE87DF350C67072C7287F971F3E45917C288A9C0B664EBC,IMPHASH=96EC2FEA777EB0F0B73CC9A2448A9866trueMicrosoft WindowsValid 734700x8000000000000000101163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.461{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\catsrvut.dll2001.12.10941.16384 (rs1_release.221103-1703)COM+ Configuration Catalog Server UtilitiesMicrosoft® Windows® Operating SystemMicrosoft Corporationcatsrvut.DLLMD5=2F4032B8693945D2C509C0A8213B782A,SHA256=7F1127149C194950539F9925B4BFCF293DF375805CA801A9B6A505216E1A2B01,IMPHASH=D5E2BFCE361310D195CA06EA9E6D2433trueMicrosoft WindowsValid 734700x8000000000000000101162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.513{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000101161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.512{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.511{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.511{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.511{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.511{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000101156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.510{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000101155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.510{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000101154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.509{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000101153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.452{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\fssprov.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft® File Server Shadow Copy ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationFSSPROV.DLLMD5=CA1D17E3A0ABF54000E69D104661A968,SHA256=3ED0BD9CFB6D6089A6F454BF1287A7DB8A4ADFB819CE5F8D52DA435A3F3DCF92,IMPHASH=430F50D6AA61D60A23D372ADC6175EF3trueMicrosoft WindowsValid 734700x8000000000000000101152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.509{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000101151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.509{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000101150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.509{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000101149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.449{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=92CD5DA45ABA4CE45313783FCB345D99,SHA256=B0F20BE2B144056E488F8FF51E266F426625E64E3C91CCD17895A441A0935C46,IMPHASH=7712978A8D93CC3BE5668BB2C1A9F990trueMicrosoft WindowsValid 734700x8000000000000000101148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.446{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x8000000000000000101147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.446{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x8000000000000000101146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.492{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.492{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000101144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.491{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.491{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.490{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000101141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.440{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.220929-2054)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=D5B0BD83918122D5D3AE6C6A01E0FC43,SHA256=EB6FBBEFD6B16EF0CD80356CE1AE6AF87478BBABED8B09BF29356A138782BB5E,IMPHASH=D73DA1D2C74E22057889487739A1CF17trueMicrosoft WindowsValid 734700x8000000000000000101140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.486{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000101139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.485{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x8000000000000000101138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.484{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000101137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.483{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.482{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.431{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.480{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.480{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000101132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.479{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.479{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000101130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.478{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.478{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000101128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.475{F172AD64-6CE8-63C6-1100-00000000B002}6121624C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000101127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.473{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.473{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000101125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.428{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\authz.dll10.0.14393.4886 (rs1_release.220104-1735)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=A26BCF0FE442174708AA3DB7602B5A3D,SHA256=18D5690E120DFC6260C6D2E75BD84660824EAAF919B3CDF24C46AA1D18C301EB,IMPHASH=720B221BA6A01692F2370B4CCC197970trueMicrosoft WindowsValid 734700x8000000000000000101124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.470{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000101123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.470{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.470{F172AD64-7A31-63C6-BC02-00000000B002}79168164C:\Windows\system32\conhost.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.470{F172AD64-6CE8-63C6-1100-00000000B002}6121624C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 734700x8000000000000000101120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.470{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.470{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000101117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-7A31-63C6-BB02-00000000B002}76687236C:\Windows\System32\cmd.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.464{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic shadowcopy deleteC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete 10341000x8000000000000000101109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.467{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.464{F172AD64-6CE8-63C6-1100-00000000B002}6121624C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000101107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.464{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.428{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcd.dll10.0.14393.1794 (rs1_release.171008-1615)BCD DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationbcd.dllMD5=8CCF9CCA4EEEC2594793B33F487FD327,SHA256=6C0601675E07083C28199BB7933A2CF5EF3784DC243BD030EB963052C3C4D4CA,IMPHASH=13F6727DFBA0EC436911ACC99667406EtrueMicrosoft WindowsValid 10341000x8000000000000000101105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.461{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.461{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-BF02-00000000B002}8140C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x8000000000000000101102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.455{F172AD64-6CE8-63C6-1100-00000000B002}6121624C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 734700x8000000000000000101101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.455{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000101100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.452{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000101099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000101098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.452{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000101097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.452{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 10341000x8000000000000000101096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.449{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.449{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.422{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000101093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.446{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000101092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.446{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x8000000000000000101091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05trueMicrosoft WindowsValid 734700x8000000000000000101090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.434{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000101089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.434{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.431{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.431{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.431{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.431{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000101084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.431{F172AD64-6CE6-63C6-0A00-00000000B002}616104C:\Windows\system32\services.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x8000000000000000101082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000101081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x8000000000000000101080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 734700x8000000000000000101079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000101078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000101077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.425{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.422{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000101074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.422{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.422{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.422{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.422{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.422{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000101067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.419{F172AD64-6CE6-63C6-0A00-00000000B002}6165072C:\Windows\system32\services.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.408{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\System32\services.exeC:\Windows\system32\services.exe 734700x8000000000000000101060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.392{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 10341000x8000000000000000101059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.404{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.404{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.401{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.401{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CE6-63C6-0A00-00000000B002}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.398{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000101054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.398{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.398{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.395{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.395{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000101050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.392{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000101049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.382{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x8000000000000000101048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.380{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x8000000000000000101047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.375{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8trueMicrosoft WindowsValid 734700x8000000000000000101046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.381{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.381{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.381{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.381{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000101042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.381{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.380{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000101040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.380{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000101039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.380{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.379{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.379{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.378{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000101035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.378{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.378{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.378{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000101032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.377{F172AD64-7A31-63C6-BC02-00000000B002}79168164C:\Windows\system32\conhost.exe{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.376{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.376{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.375{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000101028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.375{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.375{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.375{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.374{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.374{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.374{F172AD64-7A31-63C6-BB02-00000000B002}76687236C:\Windows\System32\cmd.exe{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.372{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEvssadmin delete shadows /all /quiet C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete 734700x8000000000000000101021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.342{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000101020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.369{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-BD02-00000000B002}8000C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.369{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.366{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000101017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.334{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x8000000000000000101016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.363{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000101015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.362{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x8000000000000000101014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.313{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 10341000x8000000000000000101013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.359{F172AD64-6CE8-63C6-1000-00000000B002}3562312C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.358{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.358{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000101010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000101009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000101007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000101006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000101005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000101004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000101003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000101002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.355{F172AD64-7A31-63C6-BC02-00000000B002}79168164C:\Windows\system32\conhost.exe{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.352{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000101000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.352{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000100999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.352{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000100998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000100995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.301{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000100994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000100992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000100991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000100990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000100989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000100988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000100987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.349{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000100986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.346{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000100985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.346{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000100984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.346{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000100983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.346{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.346{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.343{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000100980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.343{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000100979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.343{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-BC02-00000000B002}7916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.343{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000100977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.343{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000100976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.343{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000100975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.342{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.342{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.342{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.342{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.342{F172AD64-7631-63C6-A501-00000000B002}1960516C:\Windows\system32\csrss.exe{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.342{F172AD64-7A1A-63C6-AF02-00000000B002}81527268C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|UNKNOWN(00007FFF75F42EEF) 154100x8000000000000000100969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.339{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x8000000000000000100968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.337{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A31-63C6-BB02-00000000B002}7668C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.337{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000100966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.331{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000100965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.331{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000100964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.331{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000100963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.331{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000100962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.267{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000100961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.267{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000100960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.264{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000100959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.264{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000100958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.264{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000100957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.252{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 11241100x8000000000000000100956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.185{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\o6dguptx.default\read_it.txt2023-01-17 10:36:33.185 11241100x8000000000000000100955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.185{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\o6dguptx.default\times.json2023-01-17 10:32:23.392 23542300x8000000000000000100954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.185{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\o6dguptx.default\times.jsonMD5=F68F2C1168792C54C263163276C79733,SHA256=F5EAEC4FBEB135F7EE29D01725F3D8805B9CCEEE8930833BC20EFCB3BDACB147,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.158{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\read_it.txt2023-01-17 10:36:33.158 11241100x8000000000000000100952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.158{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:32:26.175 23542300x8000000000000000100951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.158{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=910C8602DEB02612A31DC0E92E55A63D,SHA256=B91F2BE94189A8D2B61440D5F88BB13F63BF2B739B32BE57A0891045F23BC8C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.137{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\state.json2023-01-17 10:32:25.284 23542300x8000000000000000100949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.137{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\state.jsonMD5=4D83EDB59F11C77EF2D26AA7A925AF69,SHA256=0AB2C33E4CD092037C7CDC4AA5E6B2D90D3217B3D36B0B57345928A397BC6AEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.119{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\read_it.txt2023-01-17 10:36:33.119 11241100x8000000000000000100947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.119{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\session-state.json2023-01-17 10:33:24.085 23542300x8000000000000000100946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.119{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\session-state.jsonMD5=B86D27ECC128D7BBE3B094B5734037D0,SHA256=12AEC41E52F1222E01EDB85404F57405C57DC83C7A8DF8A9D3861643DCF59065,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.101{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\xulstore.json2023-01-17 10:34:34.273 23542300x8000000000000000100944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.098{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\xulstore.jsonMD5=C4A53415413DF9DB3B72ECBD5484AA07,SHA256=6B261BD49534617198338CE75AA6C8FCF7D3E1CC2E5F9B1F7ACB709D04B24BE1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.082{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000100942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.082{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040FFA2EEE38839C6988473BA570E9A1,SHA256=043659F80AE7DC8FCB242070AC2025FFB7C4F9A5DCDB6DC449168975BBA72569,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.079{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\times.json2023-01-17 10:32:23.392 23542300x8000000000000000100940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.078{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\times.jsonMD5=3105823328719695EB36420C4644F0D0,SHA256=5ECB4A8B5EEBF69E6D06CE65A5D6E2FB14CD2CA24D6D266BCD45EF8FA3CAF02B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.058{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\targeting.snapshot.json2023-01-17 10:32:27.876 23542300x8000000000000000100938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.058{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\targeting.snapshot.jsonMD5=B936317FF13C5CB3464B89867C1E6F4E,SHA256=38EB8D3F3E697DD64820D846F8A760C95CD6CEC33A553D30F8EF03DFC408B6E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.037{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shield-preference-experiments.json2023-01-17 10:32:26.281 23542300x8000000000000000100936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.037{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\shield-preference-experiments.jsonMD5=285CDEFB3F582C224291F7A2530F3C4E,SHA256=704D28223A4320A853DF4A19D48C7015CF79D56A5317CC3475B6305FA43DCC05,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.019{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionCheckpoints.json2023-01-17 10:32:24.030 23542300x8000000000000000100934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.019{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionCheckpoints.jsonMD5=C4AB2EE59CA41B6D6A6EA911F35BDC00,SHA256=00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000100933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.001{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs.js2023-01-17 10:34:54.562 23542300x8000000000000000100932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:33.001{F172AD64-7A1A-63C6-AF02-00000000B002}8152ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs.jsMD5=0F05399941D1A411BA116D8BA6918C2F,SHA256=CDAB413CB68E51B8E4C5ADD573316C2602495AA398C48AE21511F6849B17D0E0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.822{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 10341000x8000000000000000101488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.605{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.605{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.605{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.605{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.605{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.605{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.599{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.599{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.599{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.598{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.598{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.598{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x8000000000000000101476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.483{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 13:16:44.659 23542300x8000000000000000101475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.483{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BBADC03ED508F1A40E91349D500D4079,SHA256=BA384FA2B5A47D2E90A9B48EE884D016D5B312D0E53F926028E980B3DC83F7D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.379{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000101473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.379{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD8F94A55E10BE074DB349090976EAC1,SHA256=D0B673973BFF8E07D9C47A9FC6EE21ED69683087BD0098BB5D386B1E30A02CB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.361{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\sessionstore-backups\recovery.jsonlz4.tmp2023-01-17 10:36:34.361 10341000x8000000000000000101471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.347{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.347{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.347{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 734700x8000000000000000101468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.279{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000101467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.276{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000101466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.275{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000101465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.252{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000101464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.258{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x8000000000000000101463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.252{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000101462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.249{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000101461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.246{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\sxs.dll10.0.14393.5582 (rs1_release.221130-1719)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=F2A8CD581B7D437C69B57A11C3C45E5D,SHA256=43CE351FE5BBF22128A1A60EC5BE4C70B0BC1496AD276FF04A484F7B86921B0A,IMPHASH=1CD4F5164C272A4717A58FD86B640C54trueMicrosoft WindowsValid 734700x8000000000000000101460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.219{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 10341000x8000000000000000101459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.216{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.213{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.201{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000101446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.201{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000101445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.152{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x8000000000000000101444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.149{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x8000000000000000101443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.146{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x8000000000000000101442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.143{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 11241100x8000000000000000101441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.143{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.140{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AB378C38B406B9AF7FEA3C4707A7CA,SHA256=275A1454D694EB9233E7408802E05D673F379C255ABB19D3D2AC636A14D2434C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.128{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.125{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AE7F6149889336E91521267814CCF9,SHA256=A4BCBCA013FB791731CA19698BB7A295083EB973E3AC775C27A5D948E2A87F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:34.134{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DB249CBAA5344B67BECBA96DFE2A1E,SHA256=0F7AFCAC62EA43D54EF95278F9E773D5193A249EEAE8975CCE6F7631469E8939,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.052{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x8000000000000000101436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.043{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x8000000000000000101435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:34.004{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000101507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.956{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000101506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.762{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 11241100x8000000000000000101505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.750{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.750{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD5A52A0DFBE0C8F7CFFB0D8E8CD6CD,SHA256=C5159F71E526686D7FBE9E3159802DC48912646DF8A1C96946C8A7E63E80EE25,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.631{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x8000000000000000101502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.435{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5501_none_aec664b1ddd8c519\GdiPlus.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=C8D45154ED70BAC1BEEFD0189370A4BB,SHA256=9F85F30113189576460BAE5BF56327A4E3DB65B84E8933595260DA224C8811E8,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 10341000x8000000000000000101501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.385{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.384{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.384{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.384{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.384{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.384{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 734700x8000000000000000101495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.254{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\credui.dll10.0.14393.5648 (rs1_release.230105-1654)Credential Manager User InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationcredui.dllMD5=B1E6026E177671849991402EC273C5F0,SHA256=2847C2909FB10306257832F7780E4D821BF300DB7EAA8A6689FEDAE80981C125,IMPHASH=759BDFE8131F73A7B2386342DE7A7604trueMicrosoft WindowsValid 734700x8000000000000000101494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.251{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_10.0.0.0__31bf3856ad364e35\blbproxy.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=97C8E61DB9A00244C5D3047F8C59E47F,SHA256=966D71D88823420C43ED6B1172AE4FA6AADF48B271048BADC2A4BD5A00456A8A,IMPHASH=0746B327FFA4FA1457971DD53A4314F6trueMicrosoft WindowsValid 734700x8000000000000000101493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.251{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_10.0.0.0__31bf3856ad364e35\blbproxy.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=97C8E61DB9A00244C5D3047F8C59E47F,SHA256=966D71D88823420C43ED6B1172AE4FA6AADF48B271048BADC2A4BD5A00456A8A,IMPHASH=0746B327FFA4FA1457971DD53A4314F6trueMicrosoft WindowsValid 734700x8000000000000000101492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.251{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_10.0.0.0__31bf3856ad364e35\blbproxy.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=97C8E61DB9A00244C5D3047F8C59E47F,SHA256=966D71D88823420C43ED6B1172AE4FA6AADF48B271048BADC2A4BD5A00456A8A,IMPHASH=0746B327FFA4FA1457971DD53A4314F6trueMicrosoft WindowsValid 734700x8000000000000000101491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.254{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000101490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.251{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 23542300x800000000000000070222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:35.197{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C2F6A1693DE84D2C509885FD823A2B,SHA256=56314DABF6B86CEF871038D578D3D730C1A78D9E2F311FD93DBC941FD81FFADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:36.276{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2B5D54ABA3B0C7B75730772B126429,SHA256=123B1281AD837A2F9A80179A2C357706533CE04F7EDD4577D1DE84260A49FD00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:36.292{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:36.292{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6203F3C27C574917E2DCEFCB850F42,SHA256=A870C3275190A56DF99CB03D688C3A46C6C3E196BB2585DB231B0D70727153FA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:36.047{F172AD64-7A31-63C6-C602-00000000B002}5892C:\Windows\System32\mmc.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 354300x800000000000000070223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:34.013{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50387-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:37.582{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E895EDA88767800EC3D0621C9ED141,SHA256=85F5D1A06FA552A56FFB598EF5503AD6C42958E89E8887BB119D7D18ECF103F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:35.349{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64573-false10.0.1.12-8000- 11241100x8000000000000000101512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:37.353{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:37.353{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1948205AD796585EAB4897B4D9F4C9F6,SHA256=CFFE9693FE2C71D52ACFD93FAEAA59E5DB230D6B1001B375D716C099EB9F99F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:38.689{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279B6A0E0920CE90C874BCA2E6EDD1FE,SHA256=98B82FDCA6731BD1AE303C59F8A134181B85D361F880462C32C7E350468B2203,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:38.472{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:38.472{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D364AB3DC48DB28C623430518A046AA,SHA256=F4354498FEC9B76FEB3895032F2BD5E84A3B7AE39BAEA66BA5FC88B22DD3B704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:39.782{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD0D50E154F759512C2A18B1AA51CA1,SHA256=012935F6C81DBFD965DB6EF682DC3C5A3965D1BE828F63C97051DEA978656443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.516{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.516{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.516{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.516{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.516{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.516{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.516{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.508{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:39.507{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433AFE252D6CBE84525669696F9CEC48,SHA256=A6480DDE0C3AE01A07239CE2C0BDC4CAB42EE9055B3D78511A095F9C1BB46C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:40.974{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F35AB3C5223860960E9B26ED4A17E42,SHA256=8CFB1676D572F60B666DC79F32AA121BF1004330321ECDB256E7611915D0917B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:40.560{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:40.560{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6111F19DE0E78814113C30D4D7435A26,SHA256=FDC71F40402AFE09669429C5EA6845587A8BCDAE523AD09E773DCE6FCE7C49BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:41.637{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:41.636{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF15C0EC80E7510115EA9B29A33F8E16,SHA256=EF7315DF449E192260C88A9964EA103FF7F624E964A878190525F3B7F8C4547E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:39.052{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50388-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:41.433{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:41.433{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:42.736{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:42.736{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:42.676{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:42.676{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA34A9F75CE39D65169EEF5D5DF89275,SHA256=67765F9922CFD36606A2C0826DA89890FC4E22DBC6E80B15BFE06382E8E407AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:42.054{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0751CC55A707FF1B554FCA832DE30E,SHA256=2D3C3F8025D03D12F46897BC8BD8FC7E2F71D3211076A3D3DB74589895973FBE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:42.542{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000101531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:42.542{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FF7979C9E1F6D04E5A912754A36DAABB,SHA256=5ADE29AF967E9A1C58C790FE8955A3F20250576ED69E533473F85B7DBB1F84E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:43.700{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:43.700{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA849DD27B98914966E11F4ABA26C1D,SHA256=5E59D56020A331C71F6FC3118B46FB9D3D4A3973BFA9FEC098D19AC3523B82FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:43.141{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B396442D2E46A327BAC80BEE277E8F2,SHA256=507D8B1D3CE71707C5684CE11BB390E21573DE6D9CBCE9F7F41667CEF4A01474,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:40.354{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64574-false10.0.1.12-8000- 11241100x8000000000000000101548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.779{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.779{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4014FA02B1309275FCFBB49E1D53A003,SHA256=D7B6409FE9256F518408B77DC08690A7A25BD747E76D4BD9C45220271EE6913B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:44.498{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7C4BCD387D7FE3A1E3A9ECDB95E29123,SHA256=0DF828B9082708DFCE3BA502B3823D9DD700EE1EDC5E1AABADD7A23CAD0EBE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:44.230{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE31BFB581196246EBBF7539CC1FD84,SHA256=5352BD4B75D7A249CB085CAD1201D23C402B0E43A068C0A363BDE546E9F458DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.385{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.385{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.385{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.385{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.385{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.385{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:44.385{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:45.818{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:45.818{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5CB7361993345AAEA04E2BB8F5FBAA,SHA256=E3C911DECD26F003FB97B31F77D5B8235AF848AAC0916652CE4F5A02C1EFDA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:45.321{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADAB4DD240C0420B05EC72B4FC98194,SHA256=E3299600D647D5BAB1FE14A9FF812FCEF9ABFB9B56B5428E63D1A66FB6F73DF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:46.872{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:46.872{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA197756F15870D137D8FA11A74E7A0,SHA256=3705415A98FDC834C005DEAEE7743354D75E791160C3D55178843DE174A97DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:46.401{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D4B6CA647DD7FEED1E0A4DF81ED6DF,SHA256=C4FB1E1353BBA12C3A65A110E16FC39E9212CD1421AA371BB79F777095E63D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:44.093{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50389-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000101554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:47.924{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:47.923{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B769B03F05E960D37B38E0830D611AFE,SHA256=F9BD812220FA88ECA2555C5B5DB3F76D6CC84E5B0A08E64B6E0DCB87EBD1D560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:47.505{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAD91AD9DAFD40603FF1D0614C3D151,SHA256=74D70C057C2C0F670EDF198B390FFEF66BB98DBFE4F4D53D661B4C3DA933D1B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.977{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.977{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA53C7F90DC317DACE02EBF5C102C81,SHA256=BC8F1BE30B78E1C92A2453D03EF536DAC8E84BEF3AF7CBF4E0B1118E62C3CCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:48.590{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC596EBEEE307805A06449579842042,SHA256=5C8136C36351A34579F10F34C8D59A773D1E29FABC377FF5D2A9C68B1479985C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:46.167{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64575-false10.0.1.12-8000- 10341000x8000000000000000101577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.257{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.253{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.248{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.246{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.244{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.237{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.233{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.231{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.230{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.224{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.210{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.203{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.196{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000101564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.188{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:36:48.188 10341000x8000000000000000101563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.188{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.174{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.145{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.126{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.118{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.107{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.099{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.056{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:48.052{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000070239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:49.791{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47D5129DB2F34AA263A96DAACB4C2F9,SHA256=CB1A57175819345220ACF2DC17020AA8FD9630BC172B82A44F8C2E3401DB46BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:50.900{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68152D334BEC0D03B6C87B448E856F05,SHA256=71248271A4B52F1D5E7D70AA0F5A0D775CC66F40529318D06E4C6D009693A1B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.738{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.736{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 734700x8000000000000000101596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.406{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000101595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.395{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 10341000x8000000000000000101594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.433{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.433{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.433{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.392{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000101590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.389{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000101589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.387{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000101588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.382{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000101587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.377{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.304{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.298{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.292{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.278{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000101582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.049{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:50.049{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80792E2F322C75E160B8B2AF42B14C22,SHA256=A9BC7375948788F0DCB53528D0BB2DE2DF6A3F75D6198E60EEDB2D7171C388C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.452{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF55B4DFCB3BC7814B8923D44C395A9E,SHA256=B5B593986FA644E86DF0A24471CB402A53C21CC66099D61F31C52B5252CE035B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.440{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.439{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.437{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.432{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.430{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.427{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.425{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.423{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.421{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.418{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.415{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.413{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.409{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.407{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.396{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.393{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.391{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.389{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.386{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.383{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.381{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.378{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.371{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.370{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.346{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.345{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.344{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.344{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.343{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.330{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.321{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.319{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.287{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.281{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.270{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.266{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.264{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.262{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.260{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.258{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.255{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.254{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.252{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x8000000000000000101605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.251{F172AD64-7640-63C6-CB01-00000000B002}61966292C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 11241100x8000000000000000101604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.133{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.133{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4E77FAF3A3E06DF31E51BF8C0F36A6,SHA256=D5F07903EC32C4F94DB5D98AE6D32987CAEB622C60086A91B64BDC0EC4347481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.032{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.031{F172AD64-6CE7-63C6-0C00-00000000B002}832692C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.031{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000101599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.031{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 11241100x8000000000000000101651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:52.351{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:52.351{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B1B15DD61B53C3CF69C8BE824ED2C3,SHA256=6975E139782EE1D6B6F1A5324244ED89C89E1602FE89D1EB000C10C92336F957,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:50.062{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50390-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000070266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.186{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.186{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.185{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.185{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.185{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.185{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.171{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.169{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.169{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6204072C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.145{F6EEFE7F-6CEF-63C6-1400-00000000B102}10282636C:\Windows\system32\svchost.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+dc41|C:\Windows\system32\wbem\wbemcore.dll+2cfcf|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.107{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.107{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.092{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.092{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.092{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.092{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6204072C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.076{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9831B2AE767FA1E9D2261B32CABED8EB,SHA256=8C3FF33A40E0314FDD12753FAEC49B21EE5DE3B5A6BB0FD4546C40AF418E2D8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.060{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.060{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.060{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.060{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.060{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.060{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620668C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.029{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:52.029{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620668C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.640{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.625{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.595{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.583{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.558{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.548{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.538{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.532{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.531{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.526{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.521{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.518{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.515{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.513{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.509{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.508{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.507{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.504{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.497{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.494{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.488{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.483{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.478{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.470{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.468{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.456{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.447{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.365{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.309{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.236{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.213{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.200{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.167{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 23542300x800000000000000070273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.162{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126232A9410CB137FE4F9A2A8F08D846,SHA256=805511C81A1003FB33B1459438BC5B7457E94820618A74AC6AD3268CA0996E52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 23542300x800000000000000070271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.146{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3526AE70E2F9C00C5CC20EB8DC1925C8,SHA256=B08A1D929E77C6BEF551A566CEDB4C3D2133B68BE72D40E21657947D7C50B473,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.123{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:53.115{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 11241100x8000000000000000101656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:53.497{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-17 09:40:52.407 23542300x8000000000000000101655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:53.497{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=901AAFF3DF9329E259AD285E0A9ABB4A,SHA256=A8ED845C76ECEFB6AFB9A3F8B2471A7E2F34DAB78B2E475C6F6F92A8BBE76473,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:53.453{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:53.453{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62057B4DD84D175A72470EE5726A9C6,SHA256=7358758523B3352DF994F08076B815B4D2982098D99A38C4610BABFD4243299F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:51.173{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64576-false10.0.1.12-8000- 11241100x8000000000000000101661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:54.556{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:54.556{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356A1690BD073B237B126F5961A77DBD,SHA256=1C9CD4EB927030C2656EA93720766B66F084093D91C15E869B019EF6215EA0A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:54.556{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs.js2023-01-17 10:36:54.556 23542300x800000000000000070322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.696{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853A9EB5EE35A72864D8C96BC2F026E7,SHA256=42A30B9FE882930E44694A79FB6E45748B8A67CA715029295F5627ED9224A272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.463{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.463{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.463{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.462{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.462{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.462{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.148{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000070314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.148{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000070313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.148{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000070312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.145{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.082{F6EEFE7F-6CEF-63C6-1400-00000000B102}10283880C:\Windows\system32\svchost.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.070{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.054{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:54.054{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:54.054{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:36:54.054 11241100x8000000000000000101657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:54.054{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:36:54.054 11241100x8000000000000000101663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:55.636{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:55.635{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12613F3D8B85CE847DFA8397CC85F55C,SHA256=1C8FEBAC9048ED8CF97B7430A5756C1367613B85210A3F0913C3386660FE6DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:55.181{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36163B16D9A2BFF178018F9166451894,SHA256=EC411BAE2F94E4847139A7547FCCE1564361C5FD0917F48A7C3CC008D461F597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:55.158{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000070324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:55.158{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 10341000x800000000000000070323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:55.158{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245624C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480A90) 354300x800000000000000070329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:55.205{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50391-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:56.235{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FEC6C3C14446C3E1EA2B5295F6AB32,SHA256=F796D86C8C4E9DCE3EF4402DC72F21987D598D5DD29E86B382213AB5D9195537,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:56.819{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:56.819{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7558CF6EA9C80EBC66A937D084EF933,SHA256=44A2F808062B53DC38D0C6062B049C68796D1C1A5245AC251D31793D0A5B4CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:56.005{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:57.430{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEED92EB16C00AD0802FA4EB605A3F5E,SHA256=CF31F4D7C01E3C681CC16BAAF4305361A4E88AF21AF3C890385D6B1F1332FAF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:57.892{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:57.892{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B41D323B5D04850C1D5E9A87725381A,SHA256=4DB5FF7B2545D08597611F15FFCF9FA1EB7058AC2F36872FCE1EEE5F847DCC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:58.633{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD24813FD545BFAA68E0F6CA57FA903C,SHA256=A7D3DFAA9A1B7E5BD8D5BD8CAA078F382EAA4717EA1775378C28C29659C795E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:58.925{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:58.925{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B59EF2F8C893D9C62BAEA605EAA9F5,SHA256=DB5E8EF3F1891AECDB99F2057F3E0B965252D9BF6A723EDF9B53A01392B6D0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:59.774{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:59.727{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C873DDD19686DC7D092C4C5102A469,SHA256=6C6E2FC9A311F78F3C722F8A5A552A3A767825EF5B5EC32F9F98435E8EC1E216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:56.184{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64577-false10.0.1.12-8000- 23542300x800000000000000070335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:00.928{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF9922037501F891ABCEE7C7B235DDA,SHA256=E44CB6FE93FFD11CD5E20C1C0399F33E459BBB9FD7FDF15EFDB34275D106F909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:00.428{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8B46D7431ABBBAF61804A99FF4699E74,SHA256=7EB0724437AF9B2BB616F63F717D75E4609CCAC30BB5AC567B98A83BD6AB7C4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:59.999{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:36:59.999{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8496C5902A07524B807FDAAE09C13270,SHA256=3B1AE35B40FE163EEEFE9885763F4C454F8D35EECEB972B69DA3ED023FFF08C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:36:59.762{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50392-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000101674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:01.069{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:01.069{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D39BF3C170E2AA1C833D24A92911D3,SHA256=60EFD3FA8D551C2903E575510FAC0D2ECE4A975D828733C15AA4B224762CDFFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:02.871{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:02.871{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:02.871{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:02.012{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD900BC22BF95889DE033555E994B340,SHA256=FBAFDE438C6314AD1BDC80FBA5C95CCB9B455A87FBF60D3D61101F6780EC512A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:02.129{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:02.129{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CE56592E251AE96416DC7A185B39B2,SHA256=6A3AE655A02270DA77248B7DDFCA540A5E4A687785D555C432B9283D977BC974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:03.214{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA01FDA59384BA87FB2F82CB9FB742E9,SHA256=4B224FCD37F65F70C5AB001DAF37C030002E0D296FB075A97599DA088C38BE41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:01.222{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64578-false10.0.1.12-8000- 11241100x8000000000000000101678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:03.215{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:03.215{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7794846A1EAF2BE031A63A54570D2E59,SHA256=796D795D8F2A3CAA5CF14D7BD6B85F3A37383F9B9F8DCD2D021911046DB0EA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:03.074{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=267216A793C68D3A822778EED3D77030,SHA256=C724D4E0D7EE829C908AD499D187BBAAAFCEBC37A26C39DD9E2E2EA57462E881,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:01.111{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50393-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:04.317{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519779D45DAB7A2401E81061EEFC2CE0,SHA256=E2A2A3ECE3CFA5906FE3A009463E15A9A8FF3A6C99A72F3508D8805E12C96E11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:04.702{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+29f0c|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a649|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a8bc|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b|C:\Windows\System32\USER32.dll+f0b2|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4e41|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Process Hacker 2\ProcessHacker.exe+21c81|C:\Program Files\Process Hacker 2\ProcessHacker.exe+21b33|C:\Program Files\Process Hacker 2\ProcessHacker.exe+e2e9e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:04.702{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a516|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a8bc|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b|C:\Windows\System32\USER32.dll+f0b2|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4e41|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Process Hacker 2\ProcessHacker.exe+21c81|C:\Program Files\Process Hacker 2\ProcessHacker.exe+21b33|C:\Program Files\Process Hacker 2\ProcessHacker.exe+e2e9e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:04.256{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:04.252{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB18094AF4105CD73CD4421D58A94FA,SHA256=4B5AB2C359BB8D0C8E614E4C839CE8DFBA6A01EAB755206C3189726EA4A00449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:05.408{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3C07353D9C9F0740D7BD06CF883C8F,SHA256=EB38177C03422625C53F961E78BC2A593BA0A7C9A9F18DA1A807B895A12C9178,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:05.352{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:05.352{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F047EAAA240C64D743F7462CB3C99F6,SHA256=7DD676EB753281032A907FE241264172D4BEADC6A82DCBE9E2E2040A86973DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:06.479{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74863A5AFB22704BB0802D8F2E3CB3F,SHA256=45E2BAA688A90E11472FF392AB8DBCC774E73A8F1D8D2E1018C8A88505F473BF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:06.476{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 11241100x8000000000000000101688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:06.419{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:06.419{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA41FDF585FB78A1BF158CB4FBA70744,SHA256=CE3206B777BFB81BEF729AD90A25B1AD26B9922B8C8D57251DDB36F6DC765B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:06.087{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:07.564{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1078691B5D2267E893EA73C426EF543,SHA256=FDA9F2E99628DF678291451338D16ECF575F0F7E21ADA6F26DF2C9227591C644,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000101698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.677{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe 10341000x8000000000000000101697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.677{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C502-00000000B002}7180C:\Windows\system32\conhost.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2c30|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2d4d|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2d4d|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2e4b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+24f34|C:\Program Files\Process Hacker 2\ProcessHacker.exe+23837|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll+611c|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a991|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b 10341000x8000000000000000101696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.677{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A31-63C6-C402-00000000B002}5312C:\Windows\System32\cmd.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2c30|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2d4d|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2e4b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+24f34|C:\Program Files\Process Hacker 2\ProcessHacker.exe+23837|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll+611c|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a991|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b|C:\Windows\System32\USER32.dll+f0b2 10341000x8000000000000000101695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.662{F172AD64-7A02-63C6-A602-00000000B002}77647756C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A1A-63C6-AF02-00000000B002}8152C:\Users\Administrator\AppData\Roaming\svchost.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2c30|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2e4b|C:\Program Files\Process Hacker 2\ProcessHacker.exe+24f34|C:\Program Files\Process Hacker 2\ProcessHacker.exe+23837|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll+611c|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+115a5|C:\Program Files\Process Hacker 2\ProcessHacker.exe+2a991|C:\Program Files\Process Hacker 2\ProcessHacker.exe+79cc8|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d61e4|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4b54|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+fb7b|C:\Windows\System32\USER32.dll+f0b2|C:\Program Files\Process Hacker 2\ProcessHacker.exe+d4e41 10341000x8000000000000000101694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.662{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.662{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.662{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.456{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:07.456{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A9B3187D88F5D8A006A57C032394A6,SHA256=EC0FA7DBABA5E83B811ADBED05D68F1916A5A21FC6970D657EA5DE54632423F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:08.761{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4D9D514C9A1D3B9977792BBE803D3C,SHA256=6312CF80EB15830729939AABFB4CDC8CB28A8441E122AF10708663B27E8DB727,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.823{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.823{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.823{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.807{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.807{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.807{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.807{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.538{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.538{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198BABB3ABC4C4E64A5502CFC3B06E2F,SHA256=9949B9EF5EF748D07696987DA6FA336CAEFE0B8073095899ACC0000AA3DD3261,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.507{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.507{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CD009F8ED01268D99DC547321B16CC,SHA256=B6659DD3AB1E948F9B6519F477493A1F7CDE79F4620091E3FECBC35367E5C10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:06.229{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64579-false10.0.1.12-8000- 10341000x8000000000000000101761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.322{F172AD64-6CE8-63C6-0D00-00000000B002}892912C:\Windows\system32\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.185{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.181{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.176{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.174{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.173{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.168{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.164{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.163{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.162{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.156{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 11241100x8000000000000000101712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.156{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000101711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.155{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4AD8DD39144EA3487A247D1EF4840102,SHA256=378A5C6C6EDF2A95A4F990667C8103D33ABE598ED9EC1C1273F2F2D17C9BA018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.145{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.140{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.133{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.126{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.118{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.089{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.079{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.072{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.065{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.058{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.023{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:08.019{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 23542300x800000000000000070350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:09.851{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5D7C8BCF51BF6FD92381735EB15EF3,SHA256=4E69DBE48838A7E9323C74C063DB3744E08A06ADA0ADD74453E73D29B678E68A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:09.608{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:09.608{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495BD5B403DA5DE9CC3C42C059C5D87C,SHA256=1A5C665717378224DCB9557A1F4FE7115CD1BDC97A522FEEC0FC0C29BF430568,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:07.119{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50394-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:10.941{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C9C4CF301197E3C563B632C1221566,SHA256=543AAE3672C2B0CAFD07BC4AEDD32EECE08C373C7108AEB5CF1F667243213FCB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.660{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.660{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FAB10FFC61C502A3E6A01E472656E5,SHA256=B86EFC60661C386E5C3C88707C0E504854C05653C9CDB1D1E899646B501736D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.576{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.574{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.297{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.296{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.296{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.247{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.244{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.239{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:10.227{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 11241100x8000000000000000101831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.982{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.982{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABE0918E6E52985DDAB301042825FCC,SHA256=7F0B7160DE5AB522540B7B149D4328D4AC214BCB14029C3DCA1140C905E2EC99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.625{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.625{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.277{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.274{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.272{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.270{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.267{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.265{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.263{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.259{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.257{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.253{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.251{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.241{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.238{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.236{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.234{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.230{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.227{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.225{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.222{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.215{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.213{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.188{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.186{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.185{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.185{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.184{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.170{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.160{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.158{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.121{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.115{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.103{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.097{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.095{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.093{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.091{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.089{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.086{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.085{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.083{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 10341000x8000000000000000101787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:11.082{F172AD64-7640-63C6-CB01-00000000B002}61966596C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017EB8190) 23542300x800000000000000070366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.880{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AEA064233F7F12AFD2AD802F668EA431,SHA256=71969EB6C58B8420F587D9EC0B4A326AAFE8BF6720867E6805ADE00109E35FD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A58-63C6-6E02-00000000B102}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A58-63C6-6E02-00000000B102}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.371{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A58-63C6-6E02-00000000B102}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.372{F6EEFE7F-7A58-63C6-6E02-00000000B102}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:12.030{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BBEB0E0D4A5DFCF9745D1F5377BE8D,SHA256=334BE6603E1996DA7B8FCDBB89670A648931A0DA4C747CEA9D8B321249EC4288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:12.842{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:12.842{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:12.842{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:12.795{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:12.795{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.745{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AB81D37D4A39CACA96ED11C10D013F39,SHA256=F7530FD2BFF118F7B8F762DDCC565CF7C6D4D94541B247637BA48F0C96AC8C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.491{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.477{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 23542300x800000000000000070404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.472{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0FBAE82401180CAFEABA26478E56ADA,SHA256=BB69C2F896D0720E58E9BBF9A1405CBF798B82747891B6F7348963D2A59076D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.442{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.426{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.395{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.364{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.356{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.353{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.345{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.341{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.338{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.334{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.332{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.327{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.325{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.324{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.321{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.316{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.302{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.281{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.248{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.201{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.191{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.184{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.169{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.157{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.135{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.126{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 23542300x800000000000000070370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.112{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296ACF67394EFA4E2D589EC7FE1D6812,SHA256=ACF3747B71122F4C0B434F7722EA0518AFB23C50B06DD27B7FEA86B71D074CA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.112{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.098{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 11241100x8000000000000000101838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:13.062{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:13.061{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79C0C09E5EE8E89DD145F0346CF0292,SHA256=04DA44112BE8539AA489311E8C3EAA0B4DE861F3698ED5B7CDB5CE3FC2CDE6B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A5A-63C6-7002-00000000B102}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A5A-63C6-7002-00000000B102}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.899{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A5A-63C6-7002-00000000B102}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.900{F6EEFE7F-7A5A-63C6-7002-00000000B102}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000070424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:13.072{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50395-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.296{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EF149DF095972E4C36556C90832EAE,SHA256=B48F9BA9365E00DEB06C1CED002AF707E73B8334E4C01459DB1E3C60628B797A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A5A-63C6-6F02-00000000B102}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A5A-63C6-6F02-00000000B102}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.232{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A5A-63C6-6F02-00000000B102}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.233{F6EEFE7F-7A5A-63C6-6F02-00000000B102}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:12.168{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64580-false10.0.1.12-8000- 11241100x8000000000000000101916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.386{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.386{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD20D472E02AB93BA515D7D9AC2F51E,SHA256=BBF972111D631729E5ADA4B4B9461EF9AC7E9806E3E941B2327D10BB6BF65D37,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.370{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000101913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.370{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.370{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.348{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 734700x8000000000000000101910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.319{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000101909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.313{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000101908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.298{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 11241100x8000000000000000101907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.293{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000101906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.293{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AD9B8677ED7110DF0A2A9B676B63761F,SHA256=320228A0C57A609FA77E34A1FC1664EF4AA5077126DAA1632F9F9554050FD57B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.281{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.281{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.281{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.277{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.276{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000101900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.276{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000070409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.004{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:14.003{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x8000000000000000101899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.269{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.263{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000101897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.262{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 10341000x8000000000000000101896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.254{F172AD64-79B2-63C6-8A02-00000000B002}62087392C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CF6EBC) 734700x8000000000000000101895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.253{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 10341000x8000000000000000101894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.245{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.230{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000101889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000101888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000101887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000101886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CB0F3B) 10341000x8000000000000000101885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000101884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000101883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA6406) 10341000x8000000000000000101882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.198{F172AD64-79B2-63C6-8A02-00000000B002}62087392C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA38F9) 734700x8000000000000000101881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.186{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationmscordacwks.dllMD5=34430BB4DBFA4814115EC8D42BE9B4CC,SHA256=9E5008F4B2B9A12EA4262647C1A6362E1CB96DFBC68B538E133B2A2A3CD9F33F,IMPHASH=749340B5A3E31B3E36A3A4A7F57CCF2DtrueMicrosoft CorporationValid 10341000x8000000000000000101880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.129{F172AD64-79B2-63C6-8A02-00000000B002}62086504C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.129{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x8000000000000000101878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.129{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x8000000000000000101877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 734700x8000000000000000101876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000101875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000101874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000101873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 11241100x8000000000000000101872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BB22097E61EE178B4C94338E9B5924,SHA256=54A8BA02863A2EF21044CB5129E1BD283E5D5EA7FCE7C63F82C77B8195525CFE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000101870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000101869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.114{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000101868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000101867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000101866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000101865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000101864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000101863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x8000000000000000101862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000101861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000101860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000101859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000101858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000101857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.098{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000101856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 10341000x8000000000000000101855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-79B2-63C6-8A02-00000000B002}62086504C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9424|C:\Windows\System32\KERNELBASE.dll+c3fe5|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000101854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000101853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exeMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x8000000000000000101852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-79B2-63C6-8A02-00000000B002}62086504C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-79B2-63C6-8A02-00000000B002}62086504C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-79B2-63C6-8A02-00000000B002}62086504C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-79B2-63C6-8A02-00000000B002}62086504C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0.0.0.0 --svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3AEA97EF58D132D994D6160AE232C6E7,SHA256=067F997E6FE9EAC1A47D9A54D6DD22414721AD895E6352714A11779DE8D66540,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe" 10341000x8000000000000000101842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.086{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.070{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.070{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:14.070{F172AD64-7634-63C6-B901-00000000B002}49006156C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:15.438{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF60A2B03E933644E10A5F8D38D35F2,SHA256=7DC4D290E481F7F0023BCF4ACCD179A238530C51E6502D80C18339FE1BBD7491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:15.848{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:15.848{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:15.601{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:15.601{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:15.188{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:15.188{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5F45A9C7A5DC46187A78CF02A5E58D,SHA256=B89E7DA16438DD4E8B0C44DF38318560026D08AC7ACA037A2D6A17F858C0C7F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:15.164{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000101918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:15.164{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9EC271DF398633232A922115A5EC65A,SHA256=18B4EAB46D689CD24B0BA2E17885903B2F688869B29038C4F72281A5B19CBD9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:15.161{F6EEFE7F-7A5A-63C6-7002-00000000B102}46682024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.478{F6EEFE7F-7A5C-63C6-7102-00000000B102}49285224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.478{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A221FD3939E22E06641F83E60511BF8,SHA256=5B8F951664E0CEC68BB39B3858B318CF233ED93C5FC32553FC85BBE172D249FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.749{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.733{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.733{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.718{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.702{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.702{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.674{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.674{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.633{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.633{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.433{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.417{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.417{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.402{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.374{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.372{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.349{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.273{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.265{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000101930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.233{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.233{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925F48CA71E3388597043F3C9526773D,SHA256=DDD1D201AA64F4D7B12BB1D1D74BE2CCE5931517017D6B29A1437EA67EBF3A67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A5C-63C6-7102-00000000B102}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7A5C-63C6-7102-00000000B102}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.268{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A5C-63C6-7102-00000000B102}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:16.269{F6EEFE7F-7A5C-63C6-7102-00000000B102}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.089{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.089{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000101926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:16.089{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000070488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.999{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.999{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.998{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.998{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.998{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.998{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000070482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.793{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.795{F6EEFE7F-7A5D-63C6-7302-00000000B102}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.543{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3550A44BF7A415C3C79DE4DD41EC5455,SHA256=5F0B8642D6280C62137ECF5D5FF59AAC01DF17D128E38E05A7E0E5AC89D585ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.434{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.419{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.403{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.403{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.391{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.391{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.375{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.375{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 11241100x8000000000000000101958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.275{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.275{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851AA79F59588888473C3FBA6A195E05,SHA256=945A151EF27B669D66AF8A763DF97DDACF600605D6DB16C94B02E07182E0B678,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.260{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000101955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.254{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x800000000000000070468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.389{F6EEFE7F-7A5D-63C6-7202-00000000B102}51805148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A5D-63C6-7202-00000000B102}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7A5D-63C6-7202-00000000B102}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A5D-63C6-7202-00000000B102}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:17.179{F6EEFE7F-7A5D-63C6-7202-00000000B102}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.234{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.191{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.191{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.119{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.103{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 23542300x800000000000000070491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:18.895{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E62AE38A60F6980AB13E48542A158F71,SHA256=6968BD866FDE828D46D63F60E0F3696A0B3DD2D4A92BF7167D7546E9912AC07F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:18.629{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A7ACAC4FF7F3069E71DDA8C6A7B2A7,SHA256=DA03194E598E92DC72D6C882258C76B262E195312C1E5B5EBE504942EEDF95D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.906{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000102000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.894{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.894{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.872{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.853{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.853{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.806{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.794{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.794{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.738{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.706{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.694{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.621{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.593{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.593{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.578{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.577{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.571{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.552{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.552{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.537{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.478{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.474{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.452{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.436{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.421{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.421{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.421{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.346{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.344{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 11241100x8000000000000000101971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.298{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000101970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.298{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3DD02BA9013BF7A0176434FAE2A09F,SHA256=5B49A0EC2A6290425BDB098E741396DC692C6FB14E2C01697357DA9395DDC7AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:18.019{F6EEFE7F-7A5D-63C6-7302-00000000B102}46165192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.194{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000101968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.194{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 11241100x8000000000000000101967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:18.193{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:37:18.193 23542300x800000000000000070505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.734{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D747886674E804D960B2AF2BC0B93A,SHA256=27B41AB32FE64419E129420C0412EB0C0874C583D4B11CB409C4389348F49264,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000102021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000102017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.940{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:17.196{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64581-false10.0.1.12-8000- 11241100x8000000000000000102009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.495{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.495{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC00F8876F6952879C2987EA4CE0813,SHA256=6AACF64CB4DC3272E0BC2867D762ABD869379B2863B1C42EFA5186ADE1F06C56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.454{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000102006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.407{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000102005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.379{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000102004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.375{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000102003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.340{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x8000000000000000102002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.327{F172AD64-7A5A-63C6-C702-00000000B002}41727900C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF75CD3CB3) 10341000x800000000000000070504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A5F-63C6-7402-00000000B102}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A5F-63C6-7402-00000000B102}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.487{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A5F-63C6-7402-00000000B102}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:19.486{F6EEFE7F-7A5F-63C6-7402-00000000B102}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:20.934{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B13DBF50152BBB3B2B2DCAB4E62D498,SHA256=7FD7DC51F1D2A4A0614582DCF8CFC735DBDC33422C7D51480DBB8BE33ABC4987,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.776{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.774{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.774{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000102113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 734700x8000000000000000102111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.609{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000102080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000102076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000102072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.601{F172AD64-7A60-63C6-C902-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000102065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.597{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F9AD174983DEBD0A31F495817A4956,SHA256=EC2359112DE1BFC9F0957C38E9F705BA70E26FDB1F8D68070369EF5E77DE4D48,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.424{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000102062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.424{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1843DB0BD483543F64AE3471A4699DFA,SHA256=E63305AB1127D1B76A2046A3FFCEA356EF2494FE6F886F12DAF53081C5DDFB38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:18.171{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50396-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000102061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.108{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000102060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 10341000x8000000000000000102054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.108{F172AD64-7A5F-63C6-C802-00000000B002}81807984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.108{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.954{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:19.939{F172AD64-7A5F-63C6-C802-00000000B002}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 734700x8000000000000000102176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.911{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.911{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.911{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000102173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000102172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000102171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000102170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000102169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 734700x8000000000000000102168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.742{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.742{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.742{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.742{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.742{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.742{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.742{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.742{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000102159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000102132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000102128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.726{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.727{F172AD64-7A61-63C6-CA02-00000000B002}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.526{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FCE83203F617B6A242A87B34D4BBD339,SHA256=F33B9D734305293C0F413F3CBC9CD124A74A61733E355C217AF2BC43D70DA93C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.498{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.498{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42EE9F20B4388F4C4E7F02BB76295C0,SHA256=17B769AF0905B7F7D221E5C24CBE88E07BBD5A95B1EB4F255551D414E2072C32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.042{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000102117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:21.042{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA6F3CF2571394F70401518BB5AF467A,SHA256=0AA56583D7D57A88FF0C52D4CF2313CCE0F11E5A4A11F6028AAFAC249836DEFF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:22.627{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:22.627{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D8C67A4CD64FA4393CF40BE6D07C43,SHA256=8E0C28C20B16ABC0904E73077B2D60348CCD60FD2951361D4CF64F320BF484F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:22.039{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E2C21C698FDB8AC00ACA9CC8567756,SHA256=9AC2BFF905AB1AC0030F09C9F880CE0A4FEF29868A780773CA3F6B125FC162A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:23.126{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37570059F5D4F367D611570203C8A14,SHA256=13E96B1CCD1DA87859CB89A9CDF380C0B4ACBAE5991763168609C1DEA778272B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.783{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64582-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x8000000000000000102181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:20.783{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64582-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 11241100x8000000000000000102180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:23.645{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:23.645{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9F3F8E64595CE88CB099A801A94851,SHA256=CFDDF76F601BCC1EBA6234888E596A16EF02884D24A156C8A47C33CDF3FF64FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:24.336{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F170292DEECBFF5DBDE1E760A084C307,SHA256=2544F9BD3543CDF22FABBADDAE9806CBFF4EBCE1B58FAE843AA367F7AB826AD7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 734700x8000000000000000102298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.833{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.833{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.833{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.833{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.833{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.833{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000102263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x8000000000000000102260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000102258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.817{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000102252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.733{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.733{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC20AEDF4CB1E1896BA37860685BE67,SHA256=1F8756279C0FD12B594C65092E9EB47514C16FCDD61131B0670CFBBFD9D6978D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.601{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000102249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.601{F172AD64-7A64-63C6-CB02-00000000B002}69608116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.583{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.582{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000102246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.576{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\AlternateServices.txt2023-01-17 10:37:24.576 11241100x8000000000000000102245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.533{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.532{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A900A9B916854F143B769BE7DB7E0,SHA256=6963BFE64B8411B5D43717D10D0816E3AABD02207DA01865EDCE705BD47CC53A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 734700x8000000000000000102242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.162{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000102241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.162{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000102240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.162{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 10341000x8000000000000000102239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.410{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.410{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.410{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.409{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.409{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.409{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x8000000000000000102233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.402{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\SiteSecurityServiceState.txt2023-01-17 10:37:24.402 734700x8000000000000000102232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.162{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000102231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.146{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000102230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.262{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.246{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.246{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.246{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.246{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.246{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.246{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.246{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 10341000x8000000000000000102194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000102190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.231{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.232{F172AD64-7A64-63C6-CB02-00000000B002}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000102183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.162{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 11241100x8000000000000000102362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.894{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.894{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428A512A39B1F82F8C0093956756031A,SHA256=F0196DBFDBA7C2FD2773FAA0B88AF12EAB87B5754EB1063A08A2EE89D601E1A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:24.097{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50397-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:25.418{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1BA8BDB651395D1B33A325BC55BE08,SHA256=7965395AB20B4D53DAE59EB6B09DDF7BB0A693A51E8FB95FB295DA0D876E8EA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:37:25.736 11241100x8000000000000000102359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:37:25.736 11241100x8000000000000000102358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2023-01-17 10:37:25.736 11241100x8000000000000000102357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2023-01-17 10:37:25.736 734700x8000000000000000102356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.578{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000102355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.578{F172AD64-7A65-63C6-CD02-00000000B002}79886916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.578{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.578{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000102352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.547{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.547{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A243E6CC4F509327D45FE2B7E0394F,SHA256=9C69B143FF472F835338E3994D78CC6DB2A39426E657266F9E9535FD08411DE5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.425{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.425{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.424{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.423{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.422{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.422{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.421{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.421{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.415{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.415{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.415{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.415{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.414{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.414{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.414{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.413{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.413{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.413{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.413{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.413{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.413{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.413{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.413{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.412{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.412{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.412{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.412{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.412{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.412{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.412{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.411{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.411{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.411{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.411{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.411{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000102315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.410{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.410{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.409{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.409{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.408{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000102310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.408{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.408{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.408{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.408{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.408{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.407{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.407{F172AD64-7A65-63C6-CD02-00000000B002}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000102303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.010{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000102302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.009{F172AD64-7A64-63C6-CC02-00000000B002}72368152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.009{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:25.009{F172AD64-7A64-63C6-CC02-00000000B002}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000070514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:26.605{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB8AFE7E2D077F7A45E082DECCC0AAE,SHA256=820A680DBB05D8C72ACF6C53468DAC1BBB75054BCCE3D34490D230AFA0259203,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.636{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.620{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.620{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000102413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:23.206{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64583-false10.0.1.12-8000- 734700x8000000000000000102412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.419{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 11241100x8000000000000000102411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.514{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000102410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.514{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2F445EEEFCAA2AEFD525384F27DBF38,SHA256=CFEE72C31AA4E138E5720C53F3D880CF8D2FDB9F958AFD4867FFD78F1186EE30,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.449{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.449{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.448{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.447{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.445{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.444{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.444{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.434{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.433{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.432{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.432{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.432{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.432{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.432{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.432{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.432{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000102393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.432{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.431{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.430{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.430{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.430{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.430{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.428{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.428{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.428{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.428{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.428{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.426{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.426{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.426{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.424{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.422{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.422{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.422{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.422{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.422{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000102373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.421{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.420{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.420{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.419{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000102369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.418{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.418{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.418{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.418{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.417{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.417{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:26.411{F172AD64-7A66-63C6-CE02-00000000B002}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:26.133{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-055MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:27.691{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3519935AD09E431C83F96DC73C55A2A0,SHA256=527BA92C1B566619A08C97F28A3E1D10AEC613E170F2551EEA5C722358738730,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.863{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64042- 11241100x8000000000000000102420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:27.650{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url2023-01-17 10:32:00.888 23542300x8000000000000000102419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:27.650{F172AD64-7A5A-63C6-C702-00000000B002}4172ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.urlMD5=82C914A69E3F38B4B266B0C2EF55807A,SHA256=D16ED1A306F4A062BF2D88AF0240230E545F7D368B468220D4378164F5340875,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:27.165{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:27.165{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9570B7ED768ED027B58BE91715A4160,SHA256=9E6D4F0F41B8BD4BC4710602740B7A600999634239D6138254685D9C4A765E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:27.135{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.701{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000102447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.701{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C6BB6C27505F9D2DCE9BFA9010AF7DB2,SHA256=E7898D41119057560D83011C04397AB71B2EFCC90873E443C49583A6CDBF554F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:24.877{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64584-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 11241100x8000000000000000102445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.251{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.251{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6541E79E331FED01C9E51BA39F590A17,SHA256=CBF7553B1C6A1D0BB28619DD1204E1A8319BE27BA26E883A147C2A0748C17402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.185{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.175{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.170{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.168{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.167{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.161{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.158{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.156{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.154{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.149{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.140{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.135{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.129{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.123{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.116{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.086{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.068{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.062{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.054{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.047{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.013{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.011{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000070517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:29.001{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE2029D10B99EB48A405BEB2947A656,SHA256=0178F7F64C0E307609B1DCD3014B7F95614F5493D976FBDD2865FFFFBFC5CC4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.921{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\SiteSecurityServiceState.txt2023-01-17 10:37:24.402 23542300x8000000000000000102462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.921{F172AD64-7A5A-63C6-C702-00000000B002}4172ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\SiteSecurityServiceState.txtMD5=7DE8798E13878E5FC913FCEE5D3645A2,SHA256=06D3414D2C7275FE76BA677BBC51B81ECBE4D60D0EE8EA37FE5169FBDD362092,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.890{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs.js2023-01-17 10:36:54.556 23542300x8000000000000000102460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.890{F172AD64-7A5A-63C6-C702-00000000B002}4172ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs.jsMD5=AA7587647172AE5A46ED944DB0B23487,SHA256=29933BF706ABE49A6639BCB07C64D73594D54CAB4A4F6ECCEC0FD5ED6E3BADD5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.821{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\read_it.txt2023-01-17 10:36:32.792 23542300x8000000000000000102458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.821{F172AD64-7A5A-63C6-C702-00000000B002}4172ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\read_it.txtMD5=8B7C16186EDA725A280AE9F7E7EA9B43,SHA256=F59448977DB86356CFFDF951CEF0B2273F83641DB68A8BD1F6170F8FB07AC44B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.821{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\AlternateServices.txt2023-01-17 10:37:24.576 23542300x8000000000000000102456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.821{F172AD64-7A5A-63C6-C702-00000000B002}4172ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\AlternateServices.txtMD5=D1BBBD3F4AA98E30403A747BABDAAAE4,SHA256=CBFA876D5D9436AA35012A967482A0DEFDBC1131AEDBED17CCD828BBEFB34445,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.774{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg2023-01-17 10:20:09.861 23542300x8000000000000000102454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.774{F172AD64-7A5A-63C6-C702-00000000B002}4172ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=C98829CF12BF4D8D42ED164F98E2A842,SHA256=B2F641C1ADFA4A43240419FBBA28F7739F80354D91FCA563C194F4F737058BF7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.693{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.693{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.693{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 11241100x8000000000000000102450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.284{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:29.284{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340D9BF7918833DD4E2E8B0D2331AC44,SHA256=31F56EE0671D2F0CC17A8F3E0C6F1A5EFB014F078541A44B8FCFA448D3DBA7C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:29.113{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50398-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:30.089{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1F4DD7EEA789693D180C067584AD3D,SHA256=FBA9E39D87AD0BDB0D0714FE854D72A9F9857049120CA939E498E18AB1F38D22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:28.310{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64585-false10.0.1.12-8000- 10341000x8000000000000000102471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.570{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.569{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000102469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.345{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.344{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF9C494C3A5A120C8644A0566654257,SHA256=5DDCB35ABD7742823F3E843790C4767AB21892AC1B67084E54EDB6AC40BA874F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.246{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.243{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.236{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.222{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000102518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.592{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.592{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423C926B39C29CF6D0F1742196414819,SHA256=F13046ABE718F9F887BCA5ED912E60E0776AAB3E24AD2767830375E7E70243F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:31.178{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E453E60875079315C45FE7C17B337B2,SHA256=EE17CD92BFD26135A4517862E574CAE947DD4F294E28A6DA9065EF0C30E2E8C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.272{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.270{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.268{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.265{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.263{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.261{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.258{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.256{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.253{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.251{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.248{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.246{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.235{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.232{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.229{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.228{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.224{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.222{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.219{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.217{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.210{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.208{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000102494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.186{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x8000000000000000102493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.185{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.184{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.183{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.182{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.182{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.180{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.167{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.158{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.155{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.129{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.123{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.112{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.108{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.106{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.104{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.101{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.099{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.097{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.096{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.094{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000102473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:31.093{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 354300x8000000000000000102521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:30.298{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64586-false10.0.1.12-8089- 11241100x8000000000000000102520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:32.709{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:32.709{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A113A1B44A9BF947E8E011D1239EF313,SHA256=7F8D83B400A2D88921B9D0D5D84D542C823B57F87AFA4E6D59BA029E6CE1D210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:32.270{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF6F30E380725B22DCDF2038A363662,SHA256=2E543BA3C6125A8226489D16FDAB2C60FD8AA16C74DABAE679F72E2F9C239C62,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:33.810{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:33.810{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E448228AFCE58F4EFBD3133C7E06E24,SHA256=44D17E19AE409362ED2158AEE982042A08BCBDDC34957F37819AC41197E50277,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.956{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.954{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000070560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.484{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BE04F1AB9017A6BE8F22130C64DAD1,SHA256=D25BBA2039559B1EA80AAFC0AB9B0F54A17D2C09B765CC1C336202C8FA0AA237,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.436{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.426{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.390{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.378{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x8000000000000000102524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:33.043{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-055MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:33.042{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0552023-01-17 10:37:33.042 11241100x8000000000000000102522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:33.041{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0562023-01-17 10:37:33.041 10341000x800000000000000070555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.342{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.323{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.317{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.315{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.309{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.301{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.300{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.286{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.273{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.263{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.233{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.191{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.173{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.164{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.142{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.135{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.130{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.123{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.114{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.098{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:33.094{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000070563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:34.451{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB0CF14899CE47E46BFF8D37A940FB2,SHA256=BD8061C91769544C2458F5AFE7CFBAE4CD69EAC4177F355A695F89E84926B390,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:34.846{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:34.846{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790852082E4E94CD63B18AA0337BA3AC,SHA256=DB593A06AA4BAD1BB4279485510111F977F5EBE47F0FD91E92C078CBB712B012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:34.043{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:34.206{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50399-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:35.646{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AEB63100FCE7428F4829B7E8DECD93,SHA256=019460C7FD28CB56D22987E8FA51F9BCF2569D5CC2B44AE84155C89F4C56C3D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.498{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.498{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B28A328A3C80E69E07A64F63D8D8EE7,SHA256=A98AFD09D1EA2F748880739791793CF8A6C7E8644643AC624AACBDA89D31D4FD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.269{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x8000000000000000102702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.269{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x8000000000000000102701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.269{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 734700x8000000000000000102700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.269{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\vsswmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI Provider for VSSMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSPROV.DLLMD5=74CBE3C22A64B107AFED820F00B9C98F,SHA256=F907E0CFD0B7B27BCF2D8D5C0D6E4C8E1B962E96C6D611A54B6E6877FDEA8130,IMPHASH=0CACD7A3A6C4A27F7C061428AA9D4886trueMicrosoft WindowsValid 10341000x8000000000000000102699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.269{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.269{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.254{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.254{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x8000000000000000102695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.254{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x8000000000000000102694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.251{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x8000000000000000102693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.250{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.250{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.249{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000102690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.247{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.247{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wininet.dll11.00.14393.5582 (rs1_release.221130-1719)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB2C069BBC0C6F01FCF8B8CC33B759F3,SHA256=20A51841566FBBADEE3D80FA2A5BCA22125CB60AB48D8C07868A0E104557D017,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 734700x8000000000000000102688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.244{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000102687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.244{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.244{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000102682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000102681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000102678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000102676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msxml3.dll8.110.14393.5127MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=9D77BBEA5D618AC8D5218553D30E51FF,SHA256=E3B966541623884A78A09EA6D36269853B31FE31FB6DF90B48080F13E006F5DC,IMPHASH=A80F24725C5C87DCE74AE4F927273077trueMicrosoft WindowsValid 734700x8000000000000000102675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000102673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x8000000000000000102669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x8000000000000000102667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000102666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.228{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000102662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000102661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000102657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000102653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 10341000x8000000000000000102652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000102649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A6F-63C6-D002-00000000B002}42607232C:\Windows\system32\conhost.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.212{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000102639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326EtrueMicrosoft WindowsValid 10341000x8000000000000000102637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-7A6F-63C6-CF02-00000000B002}81605532C:\Windows\System32\cmd.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.209{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic shadowcopy deleteC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete 10341000x8000000000000000102631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A6F-63C6-D202-00000000B002}3696C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x8000000000000000102629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.197{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000102628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.181{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.181{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.181{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.181{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000102624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.181{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.181{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 734700x8000000000000000102622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.181{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x8000000000000000102621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.153{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000102620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.181{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000102619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x8000000000000000102610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000102605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D002-00000000B002}42607232C:\Windows\system32\conhost.exe{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8trueMicrosoft WindowsValid 10341000x8000000000000000102600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-CF02-00000000B002}81605532C:\Windows\System32\cmd.exe{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEvssadmin delete shadows /all /quiet C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete 734700x8000000000000000102593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.153{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x8000000000000000102592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.169{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A6F-63C6-D102-00000000B002}6680C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.153{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x8000000000000000102590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.153{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x8000000000000000102588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000102585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000102584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000102579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000102578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000102577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000102576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.127{F172AD64-7A6F-63C6-D002-00000000B002}42607232C:\Windows\system32\conhost.exe{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000102574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000102572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000102571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000102568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000102559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000102558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000102557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000102554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A6F-63C6-D002-00000000B002}4260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.111{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000102550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A5A-63C6-C702-00000000B002}41727332C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|UNKNOWN(00007FFF75EBA9FF) 154100x8000000000000000102544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.108{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x8000000000000000102543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A6F-63C6-CF02-00000000B002}8160C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000102541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x8000000000000000102540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000102537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.096{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x8000000000000000102536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.080{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000102535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.080{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000102534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.080{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.068{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.068{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.068{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000102530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:35.024{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 23542300x800000000000000070566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:36.731{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0598899CA686894AD982235A50E30E78,SHA256=AD1B91CACD02BE7849854BFFCE6C0CD2C156425CA401A852FD1CA996A3EDC0D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:34.254{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64587-false10.0.1.12-8000- 11241100x8000000000000000102711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:36.197{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000102710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:36.197{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=734E68ECAAB94F065E59DFEAAAAC2826,SHA256=DE262D20AC85C4E9BA6D0AC46E58E4CCD238BE4DA3D925EC5BA54B5F65DBB3D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:36.104{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:36.103{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576C7BC7BFF63174DB8E58D6C5B10119,SHA256=9D980C92EF8B1705B12787B342C3872A38D1ADC3F6E65602BDDB1BD9C9091FD5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:36.102{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000102706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:36.102{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BD8A476205AC5C017F66FA66073F47FD,SHA256=B6028529EAF7D77F5A97005DB4B27F8849E13A0DC5B0BEC91C51DEB45A42D520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.996{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076C98A0305C46D6DFF1A21D51B56BA8,SHA256=FD22166E79B6BA1D0EECBB5BC4200D5EA0E71603CAC023589746A90C3FF9659B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.772{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E14E18428881CE154320E35C611F236C,SHA256=B6A39B653A598013531BC21015FEC60C65BFCECA90134A0907CE43DEB6DE624B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.772{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.373{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.373{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B904DD0A8E3E2D6EF444DC32C3A4E6ED,SHA256=FB6682684B0B886A17BF1B1C59B2A215E48907DCF223FAA3628D7D3B4E2FDFEA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.283{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\System32\bcdedit.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.283{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\System32\bcdedit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000102792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.283{F172AD64-7A71-63C6-D402-00000000B002}33448112C:\Windows\system32\conhost.exe{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.283{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\System32\bcdedit.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.283{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\System32\bcdedit.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.283{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\System32\bcdedit.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.283{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\System32\bcdedit.exeC:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exeMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6trueMicrosoft WindowsValid 10341000x8000000000000000102787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.283{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7A71-63C6-D302-00000000B002}79887548C:\Windows\System32\cmd.exe{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.281{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} recoveryenabled noC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 10341000x8000000000000000102780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A71-63C6-D602-00000000B002}5816C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\System32\bcdedit.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\System32\bcdedit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000102777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7A71-63C6-D402-00000000B002}33448112C:\Windows\system32\conhost.exe{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\System32\bcdedit.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\System32\bcdedit.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x800000000000000070596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:37.012{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764796C:\Windows\system32\svchost.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\System32\bcdedit.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.272{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\System32\bcdedit.exeC:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exeMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6trueMicrosoft WindowsValid 10341000x8000000000000000102772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-7A71-63C6-D302-00000000B002}79887548C:\Windows\System32\cmd.exe{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.270{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 10341000x8000000000000000102765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A71-63C6-D502-00000000B002}6452C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000102762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000102761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000102760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.256{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000102757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.255{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000102756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.255{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.255{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000102754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.254{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.254{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000102752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.254{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000102751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.253{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000102750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.253{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000102749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.252{F172AD64-7A71-63C6-D402-00000000B002}33448112C:\Windows\system32\conhost.exe{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.249{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000102747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.249{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.249{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000102745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.249{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.248{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.248{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000102742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.248{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.248{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.247{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.247{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.247{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.247{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.246{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.246{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000102733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000102732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000102731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000102727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A71-63C6-D402-00000000B002}3344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000102722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7631-63C6-A501-00000000B002}19601468C:\Windows\system32\csrss.exe{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-7A5A-63C6-C702-00000000B002}41727576C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|UNKNOWN(00007FFF75EBA9FF) 154100x8000000000000000102716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.236{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x8000000000000000102715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.230{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A71-63C6-D302-00000000B002}7988C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000102714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.215{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:37.215{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7B409BDACEDEF5BCE9AFE26B14C570,SHA256=F3FF7330775460B5BC8B98710468BBC0F1181B618FF9021993B0FB918E828862,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:38.500{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:38.500{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F899FD6B65F98D3AF07351648AE19695,SHA256=722BFEE864FA94B2C1CEB998713AA3B629FDC714DBDE91FC79EA50F3C90BFFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:39.250{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE587F3FD7BE7199619D379A03F3319,SHA256=C1A626086796187602186AB4EFD2475B1ED95E735A44356C38473924189A2121,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.658{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000102976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.657{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000102975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.657{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000102974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.657{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x8000000000000000102973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.655{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.639{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.639{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.639{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\sxs.dll10.0.14393.5582 (rs1_release.221130-1719)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=F2A8CD581B7D437C69B57A11C3C45E5D,SHA256=43CE351FE5BBF22128A1A60EC5BE4C70B0BC1496AD276FF04A484F7B86921B0A,IMPHASH=1CD4F5164C272A4717A58FD86B640C54trueMicrosoft WindowsValid 11241100x8000000000000000102969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.639{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.639{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E9BCCC35DA0D3904A38A9C39974226,SHA256=5F63720D47F9748B365E5078B2657C022F31E05EB6F8EBDCDFE94BC0E29522A1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.623{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 11241100x8000000000000000102966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.623{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000102965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.623{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D74621422D1B2CE323870859A8B6295,SHA256=2A5AB5EA721A94B53760E1D00D7E844FA912F656E02AF4B35277F988711A6357,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.608{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000102963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.608{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=C78A1E65CDF78E9255803AFC4465422D,SHA256=C4FF9C3A8DF04379B7DA9E75F710A84518FB89A5AB7909B7C17125A393DD89EC,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000102962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.608{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x8000000000000000102961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.608{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x8000000000000000102960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.608{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x8000000000000000102959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.592{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 734700x8000000000000000102958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.592{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x8000000000000000102957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.592{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x8000000000000000102956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.565{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000102955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.535{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x8000000000000000102954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.535{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000102953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.531{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.531{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000102951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.530{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000102950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.529{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x8000000000000000102949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.529{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x8000000000000000102948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.529{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x8000000000000000102947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.525{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046,IMPHASH=563B6F147961D943E0261E05EAD94B56trueMicrosoft WindowsValid 734700x8000000000000000102946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.524{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x8000000000000000102945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.516{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000102944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.501{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=3737D7B3A07BD11A31CD91B11F7EBA46,SHA256=528C1810C991DD93FA25D6A67A1415BC0A189189AEE0A62C0C79A43AA594E978,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x8000000000000000102943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.485{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000102942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.485{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x8000000000000000102941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.485{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000102940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.485{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\msxml6.dll6.30.14393.5648MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=B82E1559DD59365F9C56E23434DA4FB6,SHA256=BA153BC8608EBE74778B362FFDA7805C7871199D6C9BD6819DC0239E84009900,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x8000000000000000102939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.485{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\mmcndmgr.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Node Manager DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcndmgr.dllMD5=DDDF9C3B3B4CCFAAD35BA49B0864608F,SHA256=A8EE05699A2CE04D63D078C33A397ABE8D90AE6BC5F0156230620615B13A2F8B,IMPHASH=51AD9533DC3E1E0CFCFEECD129A51944trueMicrosoft WindowsValid 734700x8000000000000000102938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.485{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000102937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000102934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000102933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000102932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000102930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000102929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000102928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000102927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000102926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.473{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x8000000000000000102925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000102924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000102923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x8000000000000000102922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000102921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000102920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x8000000000000000102919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 734700x8000000000000000102915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 734700x8000000000000000102914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\mmcbase.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcbase.dllMD5=1C8D01FA2F46DA43580F66690E59F942,SHA256=24E48F93B6050D9DA4D1B93D07FCEA7F15AF8142BA8F4B8CFEF19FA670EB5B4E,IMPHASH=3A0957E0E673BE892DE6FEF53C3A2C7BtrueMicrosoft WindowsValid 734700x8000000000000000102908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\mfc42u.dll6.06.8063.0MFCDLL Shared Library - Retail VersionMicrosoft (R) Visual C++Microsoft CorporationMFC42.DLLMD5=DD361EE0A665F41783E02CEA20285E61,SHA256=457BF44CC1BE99FD74983178AC34E83AEC2ED73DFEE9F9FC7F5F501AD8A6D03B,IMPHASH=5407FE666C5FCACC20F969C8CE05D993trueMicrosoft WindowsValid 734700x8000000000000000102906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exeMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9FtrueMicrosoft WindowsValid 734700x8000000000000000102897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000102896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 10341000x8000000000000000102895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.458{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\wbadmin.msc" delete catalog -quietC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet 734700x8000000000000000102890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.454{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000102889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.454{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 10341000x8000000000000000102888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.451{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.451{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.451{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000102885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.433{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.433{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.433{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000102882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.433{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 10341000x8000000000000000102881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.433{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.433{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x8000000000000000102879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000102878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000102875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000102872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000102870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.418{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000102869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000102868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000102867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000102861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000102858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000102853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000102852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000102851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\cmdext.dll10.0.14393.0 (rs1_release.160715-1616)cmd.exe Extension DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCmdExt.DLLMD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5FtrueMicrosoft WindowsValid 734700x8000000000000000102850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.402{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000102848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000102847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000102846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000102843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000102842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000102840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000102838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000102837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000102836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.392{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000102835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}42045912C:\Windows\system32\conhost.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000102833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000102831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000102828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000102819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000102818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000102817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000102813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.377{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.374{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.374{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.358{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000102808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.358{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.358{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.358{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.358{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.358{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.358{F172AD64-7A5A-63C6-C702-00000000B002}4172580C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+5958c|C:\Windows\System32\shell32.dll+125a17|C:\Windows\System32\shell32.dll+125975|UNKNOWN(00007FFF75EBA9FF) 154100x8000000000000000102802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.372{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quietC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x8000000000000000102801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:39.358{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000070600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:39.238{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50400-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:40.341{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0335D8ACB2198EF1943F363C3E7F41CC,SHA256=0F595009DF764D846B42D88C6F3B8BFAA6C0D4F5798B9525FF194CB48F08A340,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.937{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x8000000000000000103005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.753{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5501_none_aec664b1ddd8c519\GdiPlus.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=C8D45154ED70BAC1BEEFD0189370A4BB,SHA256=9F85F30113189576460BAE5BF56327A4E3DB65B84E8933595260DA224C8811E8,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 11241100x8000000000000000103004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.625{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.625{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DADAAC98241F70EFB12A72F11FE5FD2,SHA256=730780C76F39918919263754601DAFE8F685CDEAA7DF8E0EE790BD2F8BA16395,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.609{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\credui.dll10.0.14393.5648 (rs1_release.230105-1654)Credential Manager User InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationcredui.dllMD5=B1E6026E177671849991402EC273C5F0,SHA256=2847C2909FB10306257832F7780E4D821BF300DB7EAA8A6689FEDAE80981C125,IMPHASH=759BDFE8131F73A7B2386342DE7A7604trueMicrosoft WindowsValid 734700x8000000000000000103001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.609{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.609{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x8000000000000000102999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.609{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_10.0.0.0__31bf3856ad364e35\blbproxy.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=97C8E61DB9A00244C5D3047F8C59E47F,SHA256=966D71D88823420C43ED6B1172AE4FA6AADF48B271048BADC2A4BD5A00456A8A,IMPHASH=0746B327FFA4FA1457971DD53A4314F6trueMicrosoft WindowsValid 734700x8000000000000000102998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.608{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_10.0.0.0__31bf3856ad364e35\blbproxy.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=97C8E61DB9A00244C5D3047F8C59E47F,SHA256=966D71D88823420C43ED6B1172AE4FA6AADF48B271048BADC2A4BD5A00456A8A,IMPHASH=0746B327FFA4FA1457971DD53A4314F6trueMicrosoft WindowsValid 734700x8000000000000000102997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.608{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_10.0.0.0__31bf3856ad364e35\blbproxy.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=97C8E61DB9A00244C5D3047F8C59E47F,SHA256=966D71D88823420C43ED6B1172AE4FA6AADF48B271048BADC2A4BD5A00456A8A,IMPHASH=0746B327FFA4FA1457971DD53A4314F6trueMicrosoft WindowsValid 10341000x8000000000000000102996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.367{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000102995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.206{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.206{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.206{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.206{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.205{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.204{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.204{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.204{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.191{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 10341000x8000000000000000102986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.052{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.052{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.052{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.043{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.043{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.043{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.042{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.042{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000102978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.042{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000070601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:41.531{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50B6C52BDB1D3791FB491E5D0CF8B97,SHA256=2960EF99A77AD119B7ED36BAE3EE02A183597AC824C3863C018818F87BF992DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.681{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.681{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E968398C6BC494FA1E9A4F39AE37D300,SHA256=621F9D4E90759CAE5D12DF818434B6FECD523622CC3BC08D20B6A7131BE10D50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.361{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.361{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.361{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D802-00000000B002}4204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.360{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.360{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.360{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A73-63C6-D702-00000000B002}7044C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 734700x8000000000000000103009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.309{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000103008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.225{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000103007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:41.037{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\System32\mmc.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 23542300x800000000000000070602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:42.622{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1D2AF18276C4C8823C8D98FDCFB4F7,SHA256=BE5DCA69630D5EBF11ADF7571203C62E2298017850C2E71F7F399D79ACB11F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:40.264{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64588-false10.0.1.12-8000- 11241100x8000000000000000103021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:42.816{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:42.816{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CAE4739595441E7AB226F5D0DE261D,SHA256=453D5E36D93E9DE54D6B58C76E47062AF3AC614D0123AEF6052CBEC90DDFC1A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:42.674{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000103018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:42.674{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=816204257E0E21472851ABAC4C895BB8,SHA256=1B752AD8072BFC24243503C286FAB02F6592B5075E527A38EC4A054764C08173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:43.980{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E77A741788E0C7B15D33E5A6B158B983,SHA256=28BB784F912E446EDD3816AE4EE5EA52285885E7F57E49E00ACE0A52E9E44065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:43.808{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80D3960E1500AF7A0D4568623321ECF,SHA256=741843EF3EE5FF19275B2428B7B4B12EB87D90932ED4079FE48C0C1E22D95560,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:43.860{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:43.860{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595F12F25401EF35D485D4DF533F626F,SHA256=1939F464ACA4F826BEEB0F1B2ED7C8E56CA2C329BCC610D5C637FE95619AE6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:44.894{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB76D35A4CB69DA1F3A9675D4900B5BF,SHA256=C3330DC85FA85ACBD3AA3979E16C788DFECE99F43E44856BF9EA8FAF778D9AC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.961{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.961{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C97A1EDEF9919671C4A7125EA28AA00,SHA256=488E2CDAD666411E39184895D24D4917E11F1963E019846164501BD14EDC4337,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.461{F172AD64-7634-63C6-B901-00000000B002}49005128C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.461{F172AD64-7634-63C6-B901-00000000B002}49005128C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.461{F172AD64-7634-63C6-B901-00000000B002}49005128C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.461{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.461{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.461{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.461{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:44.445{F172AD64-7A73-63C6-D902-00000000B002}7196C:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Roaming\Microsoft\MMC\wbadmin2023-01-17 10:37:44.429 23542300x800000000000000070606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:46.103{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2E309C933704E5635FC4345BA0810A,SHA256=E99A3CCB28B42F9A530D2EAA30A1D3B495712F11FB613EFACDE613566A54142F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:46.080{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:46.080{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7843226E47F5062AE536BC951F7B7BAD,SHA256=8369A52C68C45C188EA02010CD57B082ADD492568FF1D4689ABB3ADCB9319126,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:45.006{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:47.210{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A75F681B654657489E5110F4FC843E,SHA256=BBC0AF4BC89F8DE8A79B05F8466D8EDE2CB3065127E06F449AACE7672A3552E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:47.204{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:47.204{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378F674D6FC86E843C01CECFD92EA372,SHA256=B93367881A5B4B4FB42939903F74A8DEA814B0AA28EF8A5F31FDAFF01DCDB236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:48.288{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF48554FD8A4174BFDE1C855D4D05E4,SHA256=7C3C7F11E14EAD5297852272BE2D1EA1BEBCBE2FB5549B9A0991BD943DBD19A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.365{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.365{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.305{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.305{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43ED40BF28A9CA37C573E944205E97A8,SHA256=0F12246812160B2F5CC0645D64DA7506E9971AE669573245DC41369F330179EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.280{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.280{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.222{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.218{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.213{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.211{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.210{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.203{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.199{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.198{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.196{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.195{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:37:48.195 10341000x8000000000000000103051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.190{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.169{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.164{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.157{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.149{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.141{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.115{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.103{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.094{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.080{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.067{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.026{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:48.022{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000070610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:49.380{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728E7C00C818C8D7D5282C7BF7EFCE2A,SHA256=718EFB1EC40739AACB7DEC94090A25DF07285C786E8F073572BABAC8408C5755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:46.258{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64589-false10.0.1.12-8000- 11241100x8000000000000000103069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:49.286{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:49.286{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375867870D528DB79CF028F6B80AA6F0,SHA256=41C31F66B8573FB7B87E64734D8698B538871BA94B1706A983B376A6447D13BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:50.470{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A92D75AC476DC6C31025A047F292323,SHA256=8D431AA86EFC9E38284551464BBC82329AF27EF8D515A1B3A10902EBA42E0A51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.766{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.764{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.399{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.398{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.398{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.387{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000103084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.386{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000103083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.377{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000103082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.376{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000103081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.374{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000103080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.374{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000103079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.372{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.369{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.369{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB1454E19FAC2F3C9AF4093C4B23389,SHA256=A68D7F974A5D1B38BD8EAD16C70E20CAEFF3B2BE5D46BA40DFD893A9497764BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.297{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.293{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.281{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.281{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.279{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:50.250{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000070613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:51.569{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5923BC7DE85819FCE58476442892106,SHA256=157F94F50FE7569DE02D94791888FDBBCF11D72B6BDC7D2C247D810FB30E131C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:50.226{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50402-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000103139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.951{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4CD929798544C01C67155901B222CFAF,SHA256=AEE0A6D22A3145DC674F1A82AB0AD009CC2B8BE95D89C396F9D2D41FCC4087C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.635{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.635{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.461{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.459{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.456{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.453{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.451{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.449{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.446{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.444{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.441{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.439{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.435{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.433{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.422{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.419{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.417{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.415{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.410{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 10341000x8000000000000000103119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.410{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x8000000000000000103118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.410{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702029AF4B74427B8D7C53B67305C75C,SHA256=5B34B9FD2428E03B72674A0A7CA37C07BFF20467F3CC884B75EAFEECFD88E180,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.407{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.404{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.399{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.392{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.390{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.375{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.375{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.364{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.363{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.362{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.362{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.361{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.346{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.337{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.335{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.309{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.303{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.292{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.288{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.286{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.284{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.281{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.279{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.277{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.276{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.274{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:51.273{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000070614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:52.659{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C53AB886B7DEFAC211EC1C3F071E62,SHA256=BDE09A6DEDD316D7FF1FDEB28849A2F5953B3CA37642A969D2AD5763BAA91D26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:52.752{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:52.752{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B30935F979E0CF837EE984905ED6E4,SHA256=6E8A68FD3895AB1CEFE1096448E1F47C1735F7639B843E983D93AB6503B7F404,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:53.803{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:53.803{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18112EB5587AEF5D8531A313414B90C4,SHA256=9AC4A1FDE00F2EEB95CED7AEB1B936E2AE49042E91ED3A4AED2B93BBA44ED525,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.497{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.485{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.459{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.447{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.418{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.410{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.396{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.390{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.388{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.379{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.376{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.372{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.371{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.369{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.368{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.366{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.364{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.360{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.355{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.348{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.346{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.340{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.333{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.275{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.259{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.247{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.227{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.193{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245648C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980610) 10341000x800000000000000070617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.113{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.107{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:53.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x8000000000000000103145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:53.525{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:53.525{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:53.500{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-17 09:39:52.340 23542300x8000000000000000103142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:53.500{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FEE1D5C146A3A56374738DF9535A746A,SHA256=D5BB805272C127812D15F5337B52C23252B52ADEF93DF9D47E00D20E10A9A515,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:54.985{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:54.985{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFD0646AA49A5FFDE9FE3E9BF574188,SHA256=E9CE04D425B9668304EE8C157A02B5BF04D5F7BC6738872622BA8D12797F61F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:54.119{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FF7FE04C9C202D7E0244421DF6AEC6,SHA256=E2F848AFE13BA9BEE5C89D09687F1393AD553CD6974892BD44AA1A4057C8A5B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:54.011{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000070653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:54.008{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245616C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000070656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:55.174{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B221BC8CC3036BF406296B71A9F19A,SHA256=0266E985722B15D5618DAD2487BD2AD63ACAD38E0BC364163388CCF793567F4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:55.885{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:55.885{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000103150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:52.265{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64590-false10.0.1.12-8000- 23542300x800000000000000070661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:56.243{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6929671B491F0A418C5989A6B796FF,SHA256=254A02177C3616D11E1016F437EA70F7C2CF318754D8B33ECD171F2709AEC506,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:56.004{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:56.004{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1169D4C18F5E245588A8D6F5241A727C,SHA256=B17A93ADEEB7CA90268295C7806D91D84CD34B6CE7B41475BC2D4C89409A70A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:56.019{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:56.019{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:56.019{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6204072C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:56.006{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000070663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:56.153{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50403-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:57.332{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D43B639148DE16EA73F3077FE5D340,SHA256=8291E345CB405693766CD995785EFA3BF90EEA7CE7F90DAF068EF84A6BD4B848,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:57.114{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:57.114{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DD3EF036E8194827EC3A822A214518,SHA256=D9A1CA15488E2113A6F3804DC834BC99CE20F63E6F569D89D90875FB510B16C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:58.417{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D01D1527D57EDE27C0ED6F8F475B663,SHA256=6623B6EDA3F892E07E175771C1200545DA839F95092B7F5FA81A7E8764DF2A03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:58.243{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:58.243{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C9609B8BBFC346AF36482A751A8A67,SHA256=63917E4F664A4F3DEAFAC25CFEA68B45546E5D900A3EB2780F6E8E24A9C51799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:59.803{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:59.616{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0333D6EDDDCFEB41EA0A8B3608903C7B,SHA256=7EF9E77FC777CC17FC5CFD0BEAD1DB7BBC3718D45C3CD122D2D23913E1F09BA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:59.275{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:59.275{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446AB7EBA03AE341CB963E8183C2A97A,SHA256=26E267FC66343D71927CAC00614C54EA343DB4EC5F91CE21CBF61822496479CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:00.698{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1E06F0DBF0E5EEB0E4894BE4AD24C1,SHA256=7379F2406B7D7937FA884F6E090CCD3333DB84C46FF3FCEBDF64F92A8900683F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:00.395{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:00.395{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169A26FE93E192E82096BB0BECEE06A1,SHA256=C4E7CF6E47A71590039DC1E66EDE62505D7DE5E147640A2B1A96717A1701F1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:00.433{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B221F983C66EF63999F3D2F64F60C3EE,SHA256=774B0CBA0A11A9361FB4B30D51C88A3351CC8B9F361D19EE40001282666975BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:01.461{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:01.461{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA5650E650617C974E239ECDF1382F,SHA256=5700DAF8449F4E40C410EEB74B7CF44EF7630F4112F937E52E88E43B953D89A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:02.517{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:02.517{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819EF1028E107DB60642E19AFEC56585,SHA256=252833F0B2D65F07DAE2C9C22416C558862E7C360D44650B93F5533BAA36BEAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:37:59.775{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000070669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:02.035{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56DEC466856F0AEAB2F061B25990ABB,SHA256=046A9615535AC950F7CD621640FE91FF95DBC8DE0E85CF9024BF2660BD8DEBB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:37:58.273{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64591-false10.0.1.12-8000- 11241100x8000000000000000103169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:03.636{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:03.636{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7D0BA78B5CC6D84C830B8E78F9D11F,SHA256=33881605310BD3240659132BA347DE952BA2D8A21EFB0CD1CCD21B8BE742F7E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:01.170{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50405-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:03.120{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9467A5DF09A39078E51B758C0968C6,SHA256=3646D5EF7AB2FFEC69FF6474AA5F05127CF6C042134F03CCBB7978BAD46F4AC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:04.664{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:04.664{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5712CA443C9F4962D8344ED18487094C,SHA256=1FA3145E7FA64A959A2B1ECDBFFDB70A22AE77E02FF488D228A6A9EF13261B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:04.323{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4682119C8265814D3FEEA7C4B3F76C7B,SHA256=DD7883258C593D71D191A1110C3A516B3E3232596F5B51F2AB491144F5D6E056,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:05.680{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:05.680{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC3418585FD69BFF066C8489A4466FF,SHA256=196357AC04356BB2A55062EC03F28113B3BA1CF167D87076B154B5FFF3DF70FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:05.412{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC4AAB68BB8303802D6D3A71C5B32B8,SHA256=3B6F352DFEC4D765E41B82179D3D03EE0CA05E0CCF39D981B57FF3D6CB9DFFF8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:06.797{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:06.797{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0105187E7C6286F9C8413A041785DF,SHA256=FC89383F8C350787B65244D86167D9B9F7EA45FCF60686654D4907D0D12C5814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:06.491{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F11BD255ABF804C74919A84CB4669A,SHA256=109D975FA6A7A9AEB8D4E05BD1F109E7FEE706F63485036537264872ACF4BDA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:07.587{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1F12DA9050F567EB53E63DDDC252C9,SHA256=4565507830468EC5B3F675E697BB9A3850EF63CC629CC371AE503A3958A1BED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:07.998{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:07.898{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:07.898{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BAF7F906ED76245C873CA3F220E284,SHA256=714EC0D30761F203E0BA7849DA713067BC581567178060A2AFE604062E6A2F9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:04.278{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64592-false10.0.1.12-8000- 354300x800000000000000070678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:07.085{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50406-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:08.777{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631FFBE1BBA2C28279D521F5B9F656C8,SHA256=60A51133B8F87E362F5B77E58117C9E149B5D918C94D54D1B2813BB83F8515CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.207{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.198{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.192{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.190{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.188{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.179{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.172{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.170{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.164{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.159{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.148{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.142{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.135{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.128{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.120{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.094{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.083{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.077{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.067{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.056{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.000{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000070679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:09.869{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06350FFAFEFC28A688CBA5C00DB0063,SHA256=7BEBB86F64ECA8FABCBAF451D0FCD61B4F5DE31A3A4D50FDB50F2E0CF9DCFB15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.999{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:08.999{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2D0CF5AC79DE97056D4375569E7F23,SHA256=2A21631C70E82EB6563D6F4E7F1EBA010F4CE282B7CB22A5CFCCD0167C990F6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.755{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.753{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.254{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.249{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.242{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.227{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.102{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.102{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01F35B5EB7B03C6309B91613B071333,SHA256=F9C706B5925A523834319774DBDF0A447CA5E00505BB63B13D9C5CE5EEA9D2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:11.170{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6C72B0A3741A538ED1777196010F2A,SHA256=845CA49FE91C53985C3FA518EECFE2AA8484CB66320820B4CE549FE9084BC292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.455{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.453{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.451{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.449{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.446{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.444{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.441{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.438{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.436{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.433{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.429{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.426{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.416{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.414{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.411{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.409{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.406{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.403{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.399{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.397{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.389{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.386{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.362{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.361{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.360{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.360{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.358{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.343{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.333{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.329{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.299{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.292{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.280{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.275{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.273{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.271{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.269{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.266{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.264{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.263{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.260{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.259{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.146{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:11.146{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EAF2B0A92D301C61C49ADC1E684902,SHA256=A7E3B94E30D63D75147A582A0E19D72EACB8C3B24D1A9416060D25AA447ED56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.813{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=312D87F56763780B1EF5A7987A489DB2,SHA256=2C20D1061E6110D71668546C58B605E8F0C0EB43967FA3B6F44F553938315DEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A94-63C6-7502-00000000B102}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7A94-63C6-7502-00000000B102}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.382{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A94-63C6-7502-00000000B102}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.384{F6EEFE7F-7A94-63C6-7502-00000000B102}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:12.260{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11B78078A2D930713AFEED3EAED1A19,SHA256=867CFAF045AA1737543B7336680E39DC80E622184FB63111D436ECC3086C913F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:12.805{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 11241100x8000000000000000103257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:12.805{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeD:\surprise.exe2023-01-17 10:38:12.805 11241100x8000000000000000103256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:12.289{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:12.289{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A7231435664E3695547053A63F280E,SHA256=DC99CA41EC78D97F7DCB8C179A20392FFB16CADD1E35C3F0D0639B609D0F35C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.521{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.508{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 23542300x800000000000000070733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.470{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E413543448CA76F2E790E59225A5AC,SHA256=99C3FEEAFAE4622FCF47E83722B95451C757357A756754707A6734790AECE02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.468{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E35E042647DCEB7C58341AAB9A3BA606,SHA256=CBF3952EF14C1DED934B7A0207121E2B666CC515F1A848B73372EEFD9F6D572A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.465{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.445{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.404{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.398{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.387{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.382{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.380{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.374{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.371{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.369{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.366{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.356{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.351{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 11241100x8000000000000000103263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:13.791{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000103262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:13.791{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AC95B7C53F0C86DC327F203AD410D6CB,SHA256=653C7D06EBB730325C97DED921ABB2681490DB267E7832F6A7F0B69394CD26A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:13.325{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:13.324{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87839E4C5F73FF4AF894413A2F16F6D,SHA256=1CFB167BD4877846EECD72BD655FC8AB2FAFEE7CCD756ACCDDF9ECACB6A93215,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.350{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.344{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.338{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.325{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.314{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.311{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.280{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.246{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.229{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.184{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.166{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.158{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.149{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.141{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.118{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.097{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.093{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 354300x8000000000000000103259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:10.220{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64593-false10.0.1.12-8000- 11241100x8000000000000000103348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.992{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.992{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D302D6B970458619D60D0A0602B959,SHA256=435234E915730E87A1667475DD628F409DA7787FEDD7A1984037019107FA3158,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.929{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000103345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.923{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.923{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.923{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.907{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.907{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.876{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.876{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.876{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.919{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A96-63C6-7702-00000000B102}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.916{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.916{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.915{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.915{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.915{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.915{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.915{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.915{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.915{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.915{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7A96-63C6-7702-00000000B102}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.914{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A96-63C6-7702-00000000B102}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.914{F6EEFE7F-7A96-63C6-7702-00000000B102}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000070752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:13.053{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50407-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.341{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5FB2E6AACA436CD172470F5F33891FF9,SHA256=FB9E16CFFD6AD91100302B790199A49F03ADF3EED1573A9EB1F94C1BB4412F46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A96-63C6-7602-00000000B102}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7A96-63C6-7602-00000000B102}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.250{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A96-63C6-7602-00000000B102}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.251{F6EEFE7F-7A96-63C6-7602-00000000B102}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000070737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.044{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A46-63C6-6D02-00000000B102}2912C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x800000000000000070736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:14.043{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245876C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7A44-63C6-6C02-00000000B102}660C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000179623D0) 10341000x8000000000000000103337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.860{F172AD64-7634-63C6-B901-00000000B002}49003412C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.860{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.860{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.860{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.860{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.833{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\WinTypes.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=66D8DF1956272C96C3C9A27D9CF1E700,SHA256=615CFE128949B501E3828CF8409ED9ED25E9D8CC46FB7689F7A292736EFE0EBA,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 10341000x8000000000000000103331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.849{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.833{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000103329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.827{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\efswrt.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Storage Protection Windows Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationefswrt.dllMD5=5A0D0B6358BFBCC853A32BCA9BE21E70,SHA256=B78D7BDCAD8DE24DFC0EBC57CE7AB4AE07A44E8AEB67CC4D1B387AFDF6450720,IMPHASH=DB722C59D528E4A03ECF3B136E3B2A72trueMicrosoft WindowsValid 734700x8000000000000000103328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.828{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000103327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.807{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000103326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000103325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x8000000000000000103324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\feclient.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT File Encryption Client InterfacesMicrosoft® Windows® Operating SystemMicrosoft CorporationFECLIENT.DLLMD5=53DDCEEEBB92F311D9F3A6170495BDD9,SHA256=E94B5BD888D06DD6F4A33797459CF46E3F4AAB5A3FBDFFB668E5AB61C51E5A85,IMPHASH=F81B72A18C4A8A86D4B59944671E95CAtrueMicrosoft WindowsValid 10341000x8000000000000000103323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000103320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000103319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000103316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000103314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000103313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000103312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000103311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000103309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\windows.storage.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=82CD347711701B91BAC335AEFFC46068,SHA256=C25112AF67131F52ED99B36A9C483CDA36A74E409E68E400DC34B95D01EB6550,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000103308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000103307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\shell32.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=9DF7F6EB18007F11AEAF615854CDAF1E,SHA256=ED1836F1B387F1A85E113C7E3769E9C6689C1EF5BC1B52AED6C8AD52F311A025,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000103306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82trueMicrosoft WindowsValid 734700x8000000000000000103305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000103304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000103303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000103302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.791{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000103301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000103285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.776{F172AD64-7A5A-63C6-C702-00000000B002}41725224C:\Users\Administrator\AppData\Roaming\svchost.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\shell32.dll+599af|C:\Windows\System32\shell32.dll+5983c|C:\Windows\System32\shell32.dll+e308e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.775{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\AppData\Roaming\read_it.txtC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{F172AD64-7633-63C6-0CDF-160000000000}0x16df0c2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe"C:\Users\Administrator\AppData\Roaming\svchost.exe" 10341000x8000000000000000103278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.760{F172AD64-6CE8-63C6-1300-00000000B002}6804856C:\Windows\System32\svchost.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.760{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 11241100x8000000000000000103276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.430{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.429{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08B3BCF67CBD7E8306AD7F6D0B0020C,SHA256=11B8E51DFFD401D43C0F1704F40250EB743574DEE7582EF6CA3259F0DDFD31C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Users\Administrator\AppData\Roaming\read_it.txt2023-01-17 10:38:14.233 11241100x8000000000000000103273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeL:\surprise.exe2023-01-17 10:38:14.233 11241100x8000000000000000103272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeK:\surprise.exe2023-01-17 10:38:14.233 11241100x8000000000000000103271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeJ:\surprise.exe2023-01-17 10:38:14.233 11241100x8000000000000000103270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeI:\surprise.exe2023-01-17 10:38:14.233 11241100x8000000000000000103269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeH:\surprise.exe2023-01-17 10:38:14.233 11241100x8000000000000000103268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeG:\surprise.exe2023-01-17 10:38:14.233 11241100x8000000000000000103267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeF:\surprise.exe2023-01-17 10:38:14.233 11241100x8000000000000000103266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.233{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeE:\surprise.exe2023-01-17 10:38:14.233 10341000x8000000000000000103265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.148{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:14.148{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:15.650{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50118EC306F7D8658711ECC55F00AB4C,SHA256=CD45B49D1128F9849AF287D3741645D97AAB537475D52517254B657EFE9FB826,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.793{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000103366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.793{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47C84BD60F4C6397C7D9E75B2FF1BBA5,SHA256=FE8F9759A38FD2257AC30EA3EFD269C87F1541234AAFC35E774B7B16859483FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.727{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.727{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.727{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.718{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.718{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.718{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 11241100x8000000000000000103359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.608{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.608{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF7C22EC25429E77991D13C2368825D,SHA256=C3ADA054D67C411ED7C6B98A273A630424AD46A6CC5CD82FCE5C263A844E9EEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.249{F172AD64-79B2-63C6-8A02-00000000B002}62081552C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|UNKNOWN(00007FFF62CA79AB) 10341000x8000000000000000103356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.207{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.207{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.207{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.207{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.207{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.207{F172AD64-7634-63C6-B101-00000000B002}43764572C:\Windows\system32\taskhostw.exe{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.133{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 734700x8000000000000000103349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.076{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 10341000x800000000000000070767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:15.128{F6EEFE7F-7A96-63C6-7702-00000000B102}54243676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:15.035{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711DB3B3D16B5A7B5A2644B87F2F894C,SHA256=A990A838E07951CDCB87192CCA2B28F3DCD937A78108F45AECF21B65C1295203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.846{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10345F6BC36B9C85772DC1F2866542FC,SHA256=2B1009127EFB406A264B456B958E1797446FAE59F9DA2C6593220EF8F138E9B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:16.809{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:16.809{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:16.809{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x8000000000000000103369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:16.628{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:16.628{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EC518637063522396139FBA0AE599C,SHA256=B805CA4CECCF5B2D54E135F70E019046755AF843360F818B498F0DA0E853781C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.433{F6EEFE7F-7A98-63C6-7802-00000000B102}29925776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A98-63C6-7802-00000000B102}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A98-63C6-7802-00000000B102}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.264{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A98-63C6-7802-00000000B102}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:16.265{F6EEFE7F-7A98-63C6-7802-00000000B102}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.942{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32581725647A236E10F36BD811E13245,SHA256=1D770F2AF8B147784298B8EF9548F5A53D7D83BC24858F91D056F83A602C96A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A99-63C6-7A02-00000000B102}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7A99-63C6-7A02-00000000B102}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.864{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A99-63C6-7A02-00000000B102}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.865{F6EEFE7F-7A99-63C6-7A02-00000000B102}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:17.728{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:17.728{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD878E379D95523A0DF8EB7353F577FB,SHA256=C0E9BC620D40C9DF72DA6E774D6A4912DA6EBAA55741DB9712637334E5A088E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.428{F6EEFE7F-7A99-63C6-7902-00000000B102}41764368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A99-63C6-7902-00000000B102}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7A99-63C6-7902-00000000B102}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.191{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A99-63C6-7902-00000000B102}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:17.192{F6EEFE7F-7A99-63C6-7902-00000000B102}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:18.929{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EE0BAE0B4D0142065F77F13604FDA7A,SHA256=BB3EEFF441973FE4EBF245D0D362D7F826BED4E8D1AF92308F6C9BEA18411F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:18.913{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B13F4A77152768F3CB76525F030B91,SHA256=5FBC183E68DB42905491E5B05356F01F53113F380E25B1A23E48F07F480B9028,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:18.817{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:18.817{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04C7D607C5FF6E5AB2DA18EC68A2092,SHA256=846244735F96BAC6F09453F763D9450A16F599980117A1C3F5E6DFA2D46F3635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:18.058{F6EEFE7F-7A99-63C6-7A02-00000000B102}56725984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000103376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:15.239{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64594-false10.0.1.12-8000- 11241100x8000000000000000103375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:18.194{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:38:18.194 734700x8000000000000000103428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.963{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000103392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000103387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.952{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.953{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.928{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:19.928{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827BDDEEAA9FD004B194E5A53094CCE1,SHA256=F42CF49FB076D6BB248D8D914746EFA9F16C009EC986D75982915F162CF85BF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:18.227{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50408-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000070827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7A9B-63C6-7B02-00000000B102}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7A9B-63C6-7B02-00000000B102}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7A9B-63C6-7B02-00000000B102}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:19.506{F6EEFE7F-7A9B-63C6-7B02-00000000B102}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:20.109{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDE7E7132F13E801584BDD14EC7624A,SHA256=CEAA5607155E88008FAF64926F834F019624EEEBA8BD7CB8A008A2E9A458EECD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.823{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.822{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.819{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000103515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.813{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.813{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.813{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.813{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.813{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.813{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x8000000000000000103509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.636{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.635{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.635{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.635{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.634{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.634{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.634{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.634{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.634{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.634{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.634{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.634{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.633{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.633{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.633{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.633{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.633{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.633{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.632{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.632{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.632{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.632{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.632{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.632{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000103474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.632{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.631{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.630{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.630{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.629{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.628{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000103468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.628{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.628{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.628{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.628{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.628{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.627{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.627{F172AD64-7A9C-63C6-DD02-00000000B002}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000103461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000103458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000103457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x8000000000000000103456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-6CE8-63C6-1000-00000000B002}3564360C:\Windows\system32\svchost.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-6CE8-63C6-1000-00000000B002}3561320C:\Windows\system32\svchost.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000103453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000103452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.552{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000103447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000103445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000103439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7631-63C6-A501-00000000B002}19606036C:\Windows\system32\csrss.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000103438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000103434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.536{F172AD64-6CE7-63C6-0C00-00000000B002}832508C:\Windows\system32\svchost.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.392{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 10341000x8000000000000000103431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.152{F172AD64-7A9B-63C6-DB02-00000000B002}77484432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.152{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.136{F172AD64-7A9B-63C6-DB02-00000000B002}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000070830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:21.297{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1246D680739D7DDE8F09E21DA2A1EF,SHA256=530396510834257B7371C163EED57C43DD63559B4F55E336223EC148F01DC3D6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.958{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.958{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.958{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000103591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.809{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.809{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.809{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.808{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.795{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x8000000000000000103586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.795{F172AD64-7640-63C6-CB01-00000000B002}61966224C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 734700x8000000000000000103585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.737{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.736{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.736{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.735{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.733{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.733{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.733{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.732{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000103576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000103554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000103551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000103550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000103549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000103545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000103540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.714{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.715{F172AD64-7A9D-63C6-DE02-00000000B002}7256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.313{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0CE4E1E68FE6A3CEAFB3EBEDEB52BF4D,SHA256=3E1F065D587AA8E26112D167BFB8C1C8C581F93B098D6E1AE261FC711F004C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.198{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.198{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.198{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.198{F172AD64-7A02-63C6-A602-00000000B002}77647696C:\Program Files\Process Hacker 2\ProcessHacker.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.155{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.155{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DB8CFDA0B711B1F6BEFA959720224B,SHA256=6688F537C9BDBE201117BC8EF690CDC191D1AF27E91B755C6F78B3FB0C65E680,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.155{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.155{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD369AEB2CA047244D5CA2ED08867BE5,SHA256=1AE3C7B0E6F7F549286ABE21F2494B365960D5EF811C26D03EED21663D873751,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.133{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 11241100x8000000000000000103523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.133{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 11241100x8000000000000000103522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.133{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000103521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.133{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA7E9162A1843286A67EC149EEE3BD4B,SHA256=B5F6E1D4862FFBDCE61FA60B8E4986A7D5A69A58BBD212A179AAB0366FE8C411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.133{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D908C602313EB686DBF72D3B1B443ACB,SHA256=D1B204B8317192C2436A921F49351B716CF7B7D9694B30089136F795B147EC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.132{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F536C462DD513DEFDF93A2F691D4C78E,SHA256=D37E7BD8BC61F170BDAA5A81E3582681F5055C3A5495A721DAA54FD0FEFB9928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:22.373{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831EA0A3D1489553B37E7D8062838FC9,SHA256=18C18689159B554F670ABF58914266530333EA9641C73457AA634473576208E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:22.809{F172AD64-6CE8-63C6-0D00-00000000B002}8928072C:\Windows\system32\svchost.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:22.809{F172AD64-6CE8-63C6-0D00-00000000B002}8928072C:\Windows\system32\svchost.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:22.809{F172AD64-6CE8-63C6-0D00-00000000B002}8928072C:\Windows\system32\svchost.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:22.314{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:22.314{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671DB138787AA7493D9D640E5BAD4AC9,SHA256=E08190E157D415FD42FAF2F381A2EA4C9216BD19CCD9BCE28EDD0D9A71ABE0CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:22.314{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:22.314{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB797BB352CB301B37E1A92C90E2ECF,SHA256=5F6F9145F4118BC6517328AC907F7E23E11CA44633E69599EDB5C7C5F70A0013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:23.464{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3262F9223B85E22E9C87C313B5BE49D1,SHA256=1ACFBEDF8A71B6ED669F48BE05297EB435274D1C05A51ED499BB2F22E692CE4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:23.337{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:23.337{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66B8B407373975CACFBE948C65D5EEC,SHA256=A2917F2FAB6C4CA7E4CE157619EB062A6F206E50A9EB4D5A745FD7C00072F1F1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:23.284{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 354300x8000000000000000103606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.787{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64595-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x8000000000000000103605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:20.787{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64595-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 10341000x8000000000000000103604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:23.015{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:23.015{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000103602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:23.015{F172AD64-7640-63C6-CB01-00000000B002}61966284C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A9C-63C6-DC02-00000000B002}7296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000070833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:24.572{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B776CFC741A4D421C028C2D621E747,SHA256=027F63A856CAB58432CA4C931CFDBA3ABEBE0B21FA3C4568FA7C9486F2D42C0E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.919{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.919{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.919{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.919{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.919{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.919{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.919{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.919{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000103670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.907{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.908{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.685{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.685{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448A9ED43CB4B5C661FCBAC66C27F452,SHA256=40BBC30D29656C2E91FFBEACD62922A251DB58877A48DF6D7640FE8E0847AAA1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.442{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.442{F172AD64-7AA0-63C6-DF02-00000000B002}79963640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.442{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.442{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.258{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.258{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.258{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.242{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.241{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.241{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.241{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.241{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.241{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.240{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.240{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.240{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.239{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.239{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.239{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.238{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.238{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.237{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.236{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.236{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.235{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.235{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000103617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.234{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.234{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.233{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.233{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.233{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.233{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:24.232{F172AD64-7AA0-63C6-DF02-00000000B002}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:21.187{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64596-false10.0.1.12-8000- 23542300x800000000000000070834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:25.673{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597DF13908FFF9D4EF6DD7DD28BC7C20,SHA256=5C8DC25CF72A1518E026580430CE845487038E7E690814BC8EECCBB23A899EC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.885{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.885{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B482EEC1816DE7D670875205F1F8AACC,SHA256=F1AD887CDFFD481BF08FFAFAEE3B3F2C123BC50288674D93EE97385EFA6B4DC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.843{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.843{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.843{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.843{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.843{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.843{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.843{F172AD64-7634-63C6-B901-00000000B002}4900316C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.770{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.770{F172AD64-7AA1-63C6-E102-00000000B002}77727852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.758{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.758{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.601{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.601{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.601{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.601{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.601{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.601{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.601{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.601{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000103729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000103721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.585{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.586{F172AD64-7AA1-63C6-E102-00000000B002}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000103714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.085{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.085{F172AD64-7AA0-63C6-E002-00000000B002}2884536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.085{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:25.085{F172AD64-7AA0-63C6-E002-00000000B002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000070836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:26.737{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB7246F7541A77F622027FBFA863D2A,SHA256=F4128AA3D23D7CC0190392C65100614F24BCC00E41614D513D5C86A98CB7E189,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.686{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.686{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332205D1A744FCBC79C262B92D74FD82,SHA256=B6D6AF1346AFC3FD7A004CDAEA1E58C485B0C99CEE3C61FE808AF76EB5A7CD5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.659{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000103841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.659{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D3541142BEBDC995314BE7A1824BC73,SHA256=9C2E99E1A5C6D2DCB0BF3776A15D2480A90E3DD917E2AEB444ECB0D43A5D44EB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.586{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.586{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.586{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000070835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:24.090{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50409-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.517{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.517{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB35F845152A0759ADFD821408E8B3E,SHA256=575E86BD0952A1B1C7CE147848023765BDD7BB45C7E8DA71A00B69D22882D07E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.438{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.437{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.437{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.436{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.435{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.435{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.434{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000103820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000103799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000103794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.418{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.419{F172AD64-7AA2-63C6-E202-00000000B002}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.202{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.202{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E05D16B579536195F326B855011E000,SHA256=A7CD9CEC63BC554C4BB2077423139A5C53D66D53B40BF97671BD455C965312D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.143{F172AD64-7634-63C6-B901-00000000B002}49004560C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E22B3998)|UNKNOWN(FFFF8AA9E22B3B17)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000103784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.143{F172AD64-7634-63C6-B901-00000000B002}49004560C:\Windows\Explorer.EXE{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8007EB002A8)|UNKNOWN(FFFF8AA9E22B3998)|UNKNOWN(FFFF8AA9E22B3B17)|UNKNOWN(FFFF8AA9E22AE1A1)|UNKNOWN(FFFF8AA9E22AFB6A)|UNKNOWN(FFFF8AA9E22ADE26)|UNKNOWN(FFFFF8007E774C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.143{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF363ea8.TMPMD5=BD9AF94083A9D85112C8E3264D344E48,SHA256=8CA7CF64205FE8250C635E7BCA63840C6852EDA15C0416864210348B04CC27E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.143{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF363ea8.TMP2023-01-17 10:38:26.143 11241100x8000000000000000103781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.143{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z9R93HMCZOZ63K5C61FD.temp2023-01-17 10:38:26.143 10341000x8000000000000000103780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.043{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.043{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.043{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.022{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.022{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000070838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:27.830{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369A69137CDD1E3A74E19C1A850B3E3B,SHA256=C56C786FA4687BB7C82E2277738BDD64465EF74DD6A2042D74981A6BF8E08DD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:27.994{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:27.991{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:27.687{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:27.687{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4232FE4E24B3CA8A33A7A09A1794B5,SHA256=8E72951229AA3DBF35727DAEF4F7D319443E117878546A7815BF36C2AA58B535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:27.650{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-056MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:28.902{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B76A7D53DA2DA63E6AAC2696EE68F25,SHA256=6AC9BB19834E993C08C61FE5053AA67CB478F2489C3D5C65C752303822DC08D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.690{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.690{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D81FC033A30FA4BCE6461C9757DF54,SHA256=F671858BB9E60ADA4F72E1F202E0927DB7A2ED57ED79403F00F0D6E4F48C0716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:28.651{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.161{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.158{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.153{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.151{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.149{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.144{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.140{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.138{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.136{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.131{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.121{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.117{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.110{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.104{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.094{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.066{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.055{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.049{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.040{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:28.030{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.804{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.804{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7115651EBF328886754008AF40928ED1,SHA256=7352611A6507DFF8F9A6C124758685D645D1ABC25764120EFE0E77E46B7A8950,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000103881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.261{F172AD64-7A5A-63C6-C702-00000000B002}4172C:\Users\Administrator\AppData\Roaming\svchost.exe 534500x8000000000000000103880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.205{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe 734700x8000000000000000103879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.204{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy-net-win64\bin\vcruntime140_cor3.dll14.28.29301.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=DAC040C3D6EE8AF9EFF8E0CFC4CFEE28,SHA256=9766F88FE9ACA8388178F3D257F38678DDC7A8B2C6D17BE8D171F6DE72293C10,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 11241100x8000000000000000103878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.188{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net\startup-roslyn.profile2023-01-17 10:34:42.784 23542300x8000000000000000103877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.188{F172AD64-79B2-63C6-8A02-00000000B002}6208ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup64\net\startup-roslyn.profileMD5=344404F1A02B0E8222A9AA6E42DAABF4,SHA256=5CD97427CDBC7E1FAC77EAC730506410ED90DCD201E54BC7AF31A1C3F243EFC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.172{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeC:\Users\Administrator\AppData\Roaming\dnSpy\dnSpy.xml2023-01-17 10:38:29.172 354300x8000000000000000103875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:26.219{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64597-false10.0.1.12-8000- 10341000x8000000000000000103874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.145{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.119{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.119{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:29.119{F172AD64-7634-63C6-B901-00000000B002}49002932C:\Windows\Explorer.EXE{F172AD64-79B2-63C6-8A02-00000000B002}6208C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.940{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.940{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649AF7305EEE26B86B6AB9C4918ACA2C,SHA256=70E1D8AB6DC9F2645FC56C6EA0D3A12E3BEC61179DD5C6BB069F9062CF37C2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:29.995{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2FF8077AB136DF203C13D2C23B6F41,SHA256=4FBF0B4B25866480997DA28B7D03662C809E28FD4176B8FC07D26027CEF9BE07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.671{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.670{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.225{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.223{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.217{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.205{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 354300x800000000000000070843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:29.108{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50410-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:31.186{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFA067CB481EA9BFE75A5135606EC9A,SHA256=4AAE66031C23BFA212EA70C3C1B8681D9FADC6C025137F7A53705BC97C3433BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.358{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.356{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.354{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.352{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.350{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.347{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.345{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.342{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.340{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.337{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.334{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.331{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.329{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.326{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.324{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.320{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.318{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.315{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.312{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.304{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.303{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 734700x8000000000000000103924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.277{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DD,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 13241300x8000000000000000103923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-VerSetValue2023-01-17 10:38:31.280{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{80da81b9-89bd-72b0-f17a-ece410f22b0f}\Root\InventoryApplicationFile\dnspy.exe|cc12727e22789bfb\BinProductVersion0.0.0.0 13241300x8000000000000000103922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-17 10:38:31.280{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{80da81b9-89bd-72b0-f17a-ece410f22b0f}\Root\InventoryApplicationFile\dnspy.exe|cc12727e22789bfb\LinkDate10/19/2020 19:06:46 13241300x8000000000000000103921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PubSetValue2023-01-17 10:38:31.279{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{80da81b9-89bd-72b0-f17a-ece410f22b0f}\Root\InventoryApplicationFile\dnspy.exe|cc12727e22789bfb\Publisherdnspy 13241300x8000000000000000103920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDB-PathSetValue2023-01-17 10:38:31.279{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe\REGISTRY\A\{80da81b9-89bd-72b0-f17a-ece410f22b0f}\Root\InventoryApplicationFile\dnspy.exe|cc12727e22789bfb\LowerCaseLongPathc:\users\administrator\downloads\dnspy-net-win64\dnspy.exe 10341000x8000000000000000103919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.278{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 734700x8000000000000000103918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.277{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 10341000x8000000000000000103917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.277{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.276{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.275{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.274{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 734700x8000000000000000103913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.262{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=A0F1500393A5A2AE256507811E2C4EB8,SHA256=3E79304BAA358B36BECAF107178C50F25104C3BDB2A4448AFD967DEC050A724F,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 734700x8000000000000000103912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.262{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 13241300x8000000000000000103911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.localInvDBSetValue2023-01-17 10:38:31.261{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exeHKU\S-1-5-21-1523490906-690890008-1810102293-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\dnSpy-net-win64\dnSpy.exeBinary Data 10341000x8000000000000000103910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.259{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.248{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.246{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.240{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000103906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.240{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AA6B0FEAC252D26B5EF83D83FD5B2827,SHA256=13FD885CF6799ADA6FE031FD0C99E8E3553A1AFC0A701684062B2C1B13403692,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.213{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.207{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.194{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.189{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.188{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 11241100x8000000000000000103900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.186{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x8000000000000000103899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.185{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.185{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.183{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.180{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.178{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.177{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.175{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 10341000x8000000000000000103892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:31.174{F172AD64-7640-63C6-CB01-00000000B002}61966592C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016272190) 23542300x800000000000000070844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:32.271{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAD3D246600CA6137A48DD6C8C2D9E4,SHA256=70C6148F07D3F08AD1EFF2DFF43B58587E4FB225A577349C0AB6042194CEAFED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:32.341{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:32.341{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44498B76E907EF533E7C746CE8AC0AD5,SHA256=8EBD368DB61C5AB25138053DD17EB9315573108055CCA715C28C9059B4E77F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.727{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA08F09F2B9A4C4F2E66296C1B68AF78,SHA256=5A32EAF0F8CF727A22D52E9DD3756D37CA692CD16D883148464EBEB590A65DF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.437{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.428{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 11241100x8000000000000000103950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:33.424{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:33.424{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CC6F4CDA6C81805B11D3344008135F,SHA256=D000F63BB61AF6675EB252D68C26AA3568D1CF88A0DF2113A3E486DC98C31729,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.400{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.387{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.358{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.346{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.330{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.325{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.322{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.316{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.312{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.310{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.307{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.304{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.301{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.297{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.288{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.280{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.262{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.255{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.242{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.232{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.187{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.179{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.172{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.163{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.151{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.142{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.130{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.121{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.112{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 10341000x800000000000000070845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:33.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245604C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A00190) 354300x8000000000000000103948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:30.313{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64598-false10.0.1.12-8089- 23542300x800000000000000070884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:34.530{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80F8FC1D7B69D703A576746640D6C46,SHA256=ECBBD1ABDA864C407D3C56A42BC1303EB91A6C5284751D6E870B1EDDBB010B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:34.568{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-056MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:34.567{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:34.567{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA790E0647902508048E4C5C48B42B6,SHA256=1942725121809F8437138433B49AF46D07B65E454C194C73BD5A549219587C12,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:34.566{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0562023-01-17 10:38:34.566 11241100x8000000000000000103951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:34.565{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0572023-01-17 10:38:34.565 23542300x800000000000000070895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:35.606{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BA9EC0D61113BA3352486BE6F3388B,SHA256=1DA0D48B1246B4F75C993984734954DED260EFFDE004A7E1C63FFEB299F0B9A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:35.568{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:35.568{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90F564553415849709A047A24D40318,SHA256=3DC60B0694EE26CA4B8231F6F5963A1314B7A1536AD9904C78D88B06AD095757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:35.567{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000070894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000070893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003665e7) 13241300x800000000000000070892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a57-0x78321cca) 13241300x800000000000000070891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5f-0xd9f684ca) 13241300x800000000000000070890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a68-0x3bbaecca) 13241300x800000000000000070889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000070888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003665e7) 13241300x800000000000000070887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92a57-0x78321cca) 13241300x800000000000000070886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92a5f-0xd9f684ca) 13241300x800000000000000070885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-SetValue2023-01-17 10:38:35.324{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92a68-0x3bbaecca) 354300x8000000000000000103956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:32.174{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64599-false10.0.1.12-8000- 23542300x800000000000000070897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:36.713{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9850707290232ED4609142A4EE9304,SHA256=8A77AC816648D938B8E2D25FA289C465FBA849E1D3F6BDF3DBBEA9BAB9471B4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:36.644{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:36.643{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CFDC9C91FE33F2D91E1CB1BD1ACB89,SHA256=049C3FA6B6136669AC0DFA60FE272F736DCCC0FA97343397A5BACC845BEEC7DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:34.129{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50411-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:37.913{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E957C33D8E163D2CF3A85A52BB232B23,SHA256=ADCCDE408FD1051CABA5E6C8061B2156F83B4E41AFF3BC12A39A97FADDA25F65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:37.794{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:37.794{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4D2897853085C9AAA7ED99474A5AAF,SHA256=3A19309C99B8028EDECA77A89D3F69B4255B147DD512E7C2F50A807CAA00C797,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:37.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:38:37.510 11241100x8000000000000000103966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:38.910{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:38.910{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A339A67996AC0F4BC8514D96803FA6,SHA256=1BF65D46E671C8D1B63A4162246F617D10FA62EDB7BA266BB46CB42B16C8C340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:39.113{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B2D9FD7ED51C73E3E025B100F9F233,SHA256=294E91475276449B7E6F376F321CAB0A1E9B349D89ECD1E8DC421CF5901989BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:37.200{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64600-false10.0.1.12-8000- 23542300x800000000000000070900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:40.201{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38133257E21D21F586F1F295DBC0821,SHA256=996511E2FA97C664643DD2F1DA77405F41448BB054D71C55C428EC1AB61B6574,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:40.027{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:40.027{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52876AC33EDE7FC0442B78A36B11E87,SHA256=BACBD2C60D8570BE477F1906B774A4D09B1D76A63E1DDBABF53378F810784E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:41.397{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239013E041A2F300610D70F097C9B09F,SHA256=1D4B7F0CA877A533D657599FA7E576B9170B5218D5B44B240F9C5BE0FB8B6281,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:40.130{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50412-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:41.113{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:41.113{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691539A06A920C3E3C58A1F297265A78,SHA256=66ED7BF57CD1A8599CE42C9E8F46A829313AF0C045B0FA5DD2006F455CDF31C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:42.366{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA00E7255538F3C618ACF1EBCA7FB0B,SHA256=2CF71CDE1612FD6D19B126C8C152A69E600DAC93E88B5492D167B5A85CC85819,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:42.228{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:42.228{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF94CBE989C2BA83FDDC7D697C89775,SHA256=3EBCA91439AD08433FDE188DDE684DFD16D69203338A3E813E75A8AF56A59EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:43.457{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DA24625C3031C065F80EA991F6FC5C,SHA256=9A037789FAB637C41A8AFC7112E5E0E846068B17F3D2AC7D894064DFD50425EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:43.371{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:43.371{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A67148DF27466986A865E9E8CF9EEA,SHA256=548B2C3451962FB50B4FB1A543F1966BA629BF43411F0EFAF2C5C4345C295C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:44.786{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199FF41B65A56BCB44CC292F85EC5F53,SHA256=A802089E719E96A648FABCFB914FE7941BD4730D6DA271C12A5F5AE5799ACB1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:44.693{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7CB8344AE09D94B2CC8ECFA920DB0FF7,SHA256=7FC13DC9212C4DC04D72F7CD8701D8EF294AF584476AAD60C38C7BFDE61C9B3B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:44.470{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:44.470{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB95D6EFDA153514503BA678DC60DC6,SHA256=606CC4D705B291DC5714C46ED644074C3901380C8B78564C1F1838A4F4153746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:45.771{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126101A93F8FF59562A2E33619E53E96,SHA256=D3C130A2DD2A3280DB4EB40438D6CD985A03CF8AB947433A0ACA868910F2C457,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:45.548{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:45.548{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FACF52A27D12B95EB7BFE06B4751B7,SHA256=5438AFB73155B25925341A5BDA7A18925094AF28209713FE96DDA9A7565A0D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:46.849{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CDF6C2EBE520003F9DD50DDC97FDFF,SHA256=CC1E3ED1FED8121EE263308F00C623C0E5EEC30ACD6F758F78032B23B2EB0939,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:46.653{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:46.653{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3FFEAE695E7E3B2F4692AAF3C0A426,SHA256=4F4DAB7BF0D60BF8DBEA8F97B3855678FB3565236B1BFB8DF4DA198B0BEA8D0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:43.203{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64601-false10.0.1.12-8000- 23542300x800000000000000070910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:47.942{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80C554ABD2F8BFF9F05E9890E19E4C7,SHA256=30079732CB2788E526CC52A1C32BE8B7C8A9CBA40FB8D5A5DACF45F504E2E382,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:47.650{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000103983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:47.650{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCDCF00C76D5753C58682BDD10BAD3F,SHA256=944D1575A127ECDD3FC33986F03AF0827EF507F926022784134B1D14D2971EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:45.133{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50413-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000104009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.729{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.729{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4B46EB094C69F918165F8B57FD2766,SHA256=CC85439D34B9A714CDE17E9EAED08032D3D04D54A858E7CC03889B0C9CB4FD11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.279{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.275{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.269{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.267{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.265{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.257{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.254{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.253{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.251{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.244{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.232{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.227{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.220{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.213{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.204{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000103992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.182{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:38:48.182 10341000x8000000000000000103991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.179{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.164{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.154{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.138{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.111{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.032{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000103985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.026{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000104011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:49.748{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:49.748{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14014EDBA0E76472720542A361EB3B92,SHA256=5F59933963B6FAF55CA5356BD4D86D82C7EAD1D08CF0827E5BA8BD3CF8FEBE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:49.028{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1948893A9D60999C25B0F40DC70EC9,SHA256=FBEDEEC5FAD4750245B717273227A17A308DA33006A524D406695790D9F4FA25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.926{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.926{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFE11227666F59B919FBF10EAE78095,SHA256=606CD30FB1D9C605F4D27C1EC9D851D84483F98F279270EF3AB176712B955625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:50.110{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13418D3691380EC49EA421013F3445BC,SHA256=434E292166B53D4C6D3DB6AC5E7620453EE5BB5D975B67707B3793EA4E23C35A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.717{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.715{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.381{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.380{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.380{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.374{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000104021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.373{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000104020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.372{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000104019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.370{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000104018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.369{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000104017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.368{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000104016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.367{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-7640-63C6-CB01-00000000B002}6196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.321{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.318{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.312{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:50.299{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x800000000000000070913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:51.205{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060E78FF666E7C18109BA633B46DDD41,SHA256=669C36AE0CFDBE50053C6B004F3433B314667E3B1CDA48A1B1C92F4877C695F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:48.384{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64602-false10.0.1.12-8000- 23542300x8000000000000000104071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.440{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B12817EF081127332F1DA581D5D37954,SHA256=9D5A071F61B86891A59398339639049D1D39785E7C5E7660C0BD7D444352F74A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.393{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.392{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.390{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.388{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.386{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.383{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.381{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.378{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.376{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.374{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.371{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.368{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.366{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.364{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.362{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.359{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.356{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.353{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.350{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.344{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.342{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.321{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.320{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.319{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.319{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.317{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.305{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.296{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.295{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.267{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.261{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.250{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.246{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.245{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.243{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.240{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.238{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.236{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.235{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.233{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000104030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.232{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 354300x800000000000000070915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:51.114{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50414-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:52.297{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB71348EA02CD5B0A72547ED7ADB35E3,SHA256=A164C1E3ADB71C2D5232ADDD28CC9FD9C438148326382DD513D9B3A621B2A6C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.976{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000104116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.976{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=200E73C07396210B0E77434905C5A45A,SHA256=49BA6BED542E3DC513C0953BA6D45DCAE20E66D03535C5EF737A11A3289CBDAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.957{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D37147BEDD9F05E58A0C5D55F17F2B309787B8BB2023-01-17 10:38:52.956 11241100x8000000000000000104114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.930{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\12023-01-17 10:38:52.930 11241100x8000000000000000104113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.929{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\journals\12023-01-17 10:38:52.929 11241100x8000000000000000104112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.929{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\journals2023-01-17 10:38:52.928 11241100x8000000000000000104111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.892{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D2EB0C7D6998870A1BA3405A1E44E91E81BBB4D92023-01-17 10:38:52.892 11241100x8000000000000000104110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.848{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm2023-01-17 10:38:52.848 11241100x8000000000000000104109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.848{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal2023-01-17 10:38:52.847 11241100x8000000000000000104108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.830{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp2023-01-17 10:38:52.830 11241100x8000000000000000104107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.830{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp2023-01-17 10:38:52.830 11241100x8000000000000000104106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.830{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-gmpopenh264\1.8.1.22023-01-17 10:38:52.830 11241100x8000000000000000104105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.830{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-gmpopenh2642023-01-17 10:38:52.830 11241100x8000000000000000104104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.799{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddon2023-01-17 10:38:52.799 23542300x8000000000000000104103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.799{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddonMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.799{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddon2023-01-17 10:38:52.799 11241100x8000000000000000104101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.783{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7FEF50EB1C89E58D7202896295BED2C7C56D1C992023-01-17 10:38:52.783 11241100x8000000000000000104100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.757{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.757{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.757{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7CF28C8A32D4720174B450A54BF359F15091EC892023-01-17 10:38:52.757 23542300x8000000000000000104097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.730{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.730{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.730{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.730{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.730{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.730{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.730{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=EF291A7C76B47726A5744EDAF7A6E398,SHA256=61245DEF7309E00A7C4DFEE05581CE238AF0A4CF852F7D3B44C5F75D42430450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.714{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=31F4453F07F895BF7CC44EEC97C84454,SHA256=AA362644E6A2F626F6775A12F051387023124E600911372873AE6A238827F6FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.699{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\archived\2023-01\1673951932669.25c81590-2e6b-4b60-aab2-fd6cb87fa6ed.main.jsonlz4.tmp2023-01-17 10:38:52.699 23542300x8000000000000000104088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.699{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\aborted-session-pingMD5=394726005905E3641FB004BAA17FC711,SHA256=3498754FD667EE4F984E448DB413CFC9DBCA652332C5132D2E812877C94B7196,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.683{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\aborted-session-ping.tmp2023-01-17 10:38:52.683 11241100x8000000000000000104086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.683{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\archived\2023-012023-01-17 10:38:52.683 11241100x8000000000000000104085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.683{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\archived2023-01-17 10:38:52.683 23542300x8000000000000000104084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.683{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\indexMD5=B959810851951BD8008B958DDD863ED4,SHA256=4DA216BCEF1E2550B447BE56053A5F9C6AF9B3A487E8FCF0F28AE93DF4C115DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.683{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\session-state.json2023-01-17 10:38:52.683 11241100x8000000000000000104082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.683{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\index.tmp2023-01-17 10:38:52.683 11241100x8000000000000000104081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0B3D4406E07D915542BB0EF8A7B6410EC90DBBF32023-01-17 10:38:52.614 11241100x8000000000000000104080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\43CD2D64B8AB9347EBF172CDE05C691BD80B2F2B2023-01-17 10:38:52.614 734700x8000000000000000104079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Windows.ApplicationModel.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows ApplicationModel API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.ApplicationModel.dllMD5=CEF3C9261C59336E33920D12A0A88EE4,SHA256=80F69DD2F2C3293FA200D8C463B9C0B3A0F57E966AB3763689E662D6B8E2E48F,IMPHASH=75E17947EA5F1615946F8A33F101E206trueMicrosoft WindowsValid 734700x8000000000000000104078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\AppXDeploymentClient.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)AppX Deployment Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentClient.dllMD5=C1B7C819744E85143C8D45AA3A169D95,SHA256=37F2C1098F17F739867866D49A63FB13F2BC246F3AED4998E0F84A8DAA876B6B,IMPHASH=25D44439F18A7678D22EBE0E51E0B433trueMicrosoft WindowsValid 11241100x8000000000000000104077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\profile_count_308046B0AF4A39CB.json2023-01-17 10:38:52.514 11241100x8000000000000000104076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.499{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.499{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.283{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.283{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4004E66623EF577011E111D9236A2299,SHA256=9C56D102BB38FC6577E8C8BBC765A54E4A9DF51F47BEFC140F8BFDA3444042A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.848{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C441E24C05FE66B31236F00FBED2F19E,SHA256=A5DA4FAFC55166C8A010D41A142D9E7CDE3BE851889EF6D821C44ADB99E3D7B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.385{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.349{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.339{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.315{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 11241100x8000000000000000104278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.995{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.995{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.994{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\65E0FFA59D21ADEE5C3AA36A5C3162271566AE232023-01-17 10:38:53.994 23542300x8000000000000000104275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.980{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.977{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.977{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.976{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.971{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=5DB20DFA131B0963FDF7A752D4AC48F3,SHA256=0DD180A14CF7592CE0139B774593F457E78DD893EF16B5105618F1A9EBF49301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.968{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=ECE5A6875234F0FD74058E26A08CA8F8,SHA256=645C1A661E1AFBB5CA62FEFDE09295584E31CA89AF778335ED73E59339314D13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.936{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.936{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD3DC8FE7F47D12E1C75B9A8E26ABF7,SHA256=1BBECAA309A7DA43FF2A6D3A8761DDBEB31089309B864F89D808B696A89ACE14,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.917{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.917{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.916{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E8D08DAD0FB6E27145709A42880F6C81F3BE873A2023-01-17 10:38:53.916 23542300x8000000000000000104262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.901{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.899{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.899{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.898{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.895{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=5F3CDD37E25CB663CA2E06891382D26E,SHA256=8649C73FA9681898E7F11C45B27E9C8F493DF947E12C9A938FDAB9C011C350F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.892{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=16A3B50363172A892CBD0FDB81F8DB0A,SHA256=BFDAB2C3512EF351EEFD7F2A8E298AB2AFBA68C76E3213E55C910FD30C1B02AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.857{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\31F897C44EABB4F886EBC58039909B60C0C5B8C32023-01-17 10:38:53.857 11241100x8000000000000000104253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.831{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.831{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.831{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3DE122AF51E9C396743DA36D6F24FC9288BA6D862023-01-17 10:38:53.831 354300x8000000000000000104250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.939{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64609-false34.111.73.144144.73.111.34.bc.googleusercontent.com443https 354300x8000000000000000104249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.927{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53827- 354300x8000000000000000104248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.924{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49781- 354300x8000000000000000104247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.920{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64608-false34.160.144.191191.144.160.34.bc.googleusercontent.com443https 354300x8000000000000000104246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.885{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64607-false23.213.53.145a23-213-53-145.deploy.static.akamaitechnologies.com80http 354300x8000000000000000104245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.848{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local53domainfalse127.0.0.1win-dc-ctus-attack-range-141.attackrange.local55413- 354300x8000000000000000104244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.831{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64606-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000104243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.818{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53250- 354300x8000000000000000104242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.817{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55413- 354300x8000000000000000104241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.816{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52433- 354300x8000000000000000104240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.717{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64605-false34.160.144.191191.144.160.34.bc.googleusercontent.com443https 354300x8000000000000000104239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.708{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64604-false35.241.9.150150.9.241.35.bc.googleusercontent.com443https 354300x8000000000000000104238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.705{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local65300- 23542300x8000000000000000104237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.813{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.813{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 10341000x800000000000000070947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.278{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.275{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.265{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.260{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.258{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.253{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.241{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.239{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.224{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.214{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.188{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.174{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.166{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.157{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.150{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.144{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.138{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.116{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.106{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 10341000x800000000000000070916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:53.105{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245652C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980850) 11241100x8000000000000000104235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.813{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.813{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.804{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.804{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.804{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=F7C9D1F0E9AD4439C72CC7BDDAAB684E,SHA256=D515ABBD87F4B6202B8660483B5F05234754B70BE0B3E94C2FA0493306EE55CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.804{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=190E15BEDACFBE1BC3F93949A4BD2208,SHA256=2373C41EA6137AF0A170B6BFBA2E4305489773D74C745FB51AE97DE73B03DED3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.786{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\57D27CBCAB857481421F7322F1595A270C0FC4742023-01-17 10:38:53.786 11241100x8000000000000000104228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.757{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.757{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.757{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\56B005E9688BD7284A2CCDC5E32DB87472609E932023-01-17 10:38:53.757 23542300x8000000000000000104225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.740{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.740{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.740{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.740{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.740{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.740{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.731{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=54D2153191180905F188AA85E209312F,SHA256=F9733745D7D39960168ACF9CA18A22EF3150A752207B8E188CBB5DBFDF302A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.731{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=D04A9348EAE36652DEA70D08F4E2C77E,SHA256=D90CA62753B13964F614BA16344CB50619C0952872643D6D5A1B83D949F256DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.695{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE13857FAF251CCA8C4AE07311778B6623EF86DC2023-01-17 10:38:53.695 11241100x8000000000000000104216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.668{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DE8ED7E498C828C3E4DF4FA7132140B762AC6DBC2023-01-17 10:38:53.668 11241100x8000000000000000104215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.651{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:38:53.005 23542300x8000000000000000104214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.650{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.649{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:38:53.005 11241100x8000000000000000104212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.640{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\38FF788A718C79DDC3D1E23EAA975517D9BA3BB02023-01-17 10:38:53.640 11241100x8000000000000000104211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.622{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.622{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.622{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E2E2DB2F02258A8F9FEF833AA106B9511B475D182023-01-17 10:38:53.622 23542300x8000000000000000104208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.604{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.604{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.604{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.604{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.595{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.595{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.595{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=10E46BC2A5E479885CADA5399AAAC5C5,SHA256=03543FF790B7459D07A56B4D7FDEAFBEF21AD05142034668B9F2F1EE03457F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.595{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=76D363DF0AA23D24B405690FF6F2E8FB,SHA256=1970E0055BC24B8BB52DD460E02D307EC8B2E323543A358EE7F42627424AE529,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.577{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BC9A334D14AE8D5CDCF1F5F5128BA1F4CDD083AC2023-01-17 10:38:53.577 354300x8000000000000000104199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.693{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55618- 354300x8000000000000000104198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64603-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x8000000000000000104197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.642{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53490- 354300x8000000000000000104196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.640{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local54826- 11241100x8000000000000000104195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.540{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2CB84DD9ABB4E1485D83397C59B193094E1ABFC72023-01-17 10:38:53.540 11241100x8000000000000000104194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.513{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.513{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.513{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\39D80535A21E286B3C662765C5F09ACEB927E77D2023-01-17 10:38:53.513 11241100x8000000000000000104191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.504{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-17 09:40:52.407 23542300x8000000000000000104190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.504{F172AD64-6CE8-63C6-1200-00000000B002}384NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=49FE4EA7D3B1E2674809A61C2290C960,SHA256=8B693AEB41CEFE25683EAA7A77B10787941E90E7DD07DC7FE55511CEAC1FD238,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000104189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.759{F172AD64-7935-63C6-6402-00000000B002}2296a19.dscg10.akamai.net02600:1407:3c00:b::17d5:3591;2600:1407:3c00:b::17d5:3593;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000104188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.747{F172AD64-7935-63C6-6402-00000000B002}2296a19.dscg10.akamai.net023.213.53.147;23.213.53.145;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000104187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.746{F172AD64-7935-63C6-6402-00000000B002}2296ciscobinary.openh264.org0type: 5 a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com;type: 5 a17.rackcdn.com;type: 5 a17.rackcdn.com.mdc.edgesuite.net;type: 5 a19.dscg10.akamai.net;::ffff:23.213.53.145;::ffff:23.213.53.147;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000104186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.495{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.495{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.495{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.495{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.495{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.495{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.495{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=177375566E53C260C9AF470992D7F7C5,SHA256=4F080F5AD653706272ED4DAD19AB402FF2A107AD9ECDDF280B4D9DEB7B1E04A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.495{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=4DF5CAF9C59C369A0D6914C61263FEC7,SHA256=1C742C68D9C013F2845DAD530A25FE86DCDB9D866B96E78E04D42B8169130399,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.468{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.468{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.468{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BFB76AE057440A16593FE08B2FE91F5D71B2F9632023-01-17 10:38:53.468 23542300x8000000000000000104175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.455{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.453{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.453{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.452{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.450{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.450{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.449{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=03275864BC294E4B58C05A2BE6634C9E,SHA256=B64B16E8C93B03141036BC67544F398A2BE28B289EF7912383CFBB64A8FDEBE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.440{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=BD8E6B7CCAC97C6AFAC2A386CC60388A,SHA256=39CB20E7A76DEA4C124C52388D9A496FB609F6D762E27B546B2B74251A66BCD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.422{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.422{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.422{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\376B2D3D28DD6719B8EA6EAFA2E8F2B44B2860AE2023-01-17 10:38:53.422 23542300x8000000000000000104164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.413{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.404{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.404{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.404{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.395{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.395{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.395{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=68745D403116F7A4266802E80FB88B82,SHA256=2604FAA735B81FF203D99B11918D48589EC91A62B98DF3AA844A59711E750333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.386{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=F209BAC8BAC457642B08AEEE0C298549,SHA256=0045794B83A9A32346053DFF55CCEDD7A3787D09802C1C75A8ABF3488BBB1FB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.386{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig.tmp2023-01-17 10:38:53.386 11241100x8000000000000000104155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.386{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib.tmp2023-01-17 10:38:53.386 11241100x8000000000000000104154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.376{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.376{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9472C58ED0BE09D7B554EFE6D0E859D4,SHA256=0B511E4F9B5E0DC8934CAA21C68DE3D40B4E4A294C1BA2B8E567EA07757874B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.tmp2023-01-17 10:38:53.376 11241100x8000000000000000104151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.303{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.303{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.294{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EBBD1A94C6D86CC9B561A32EA0C57B354974290A2023-01-17 10:38:53.294 11241100x8000000000000000104148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.294{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json.tmp2023-01-17 10:38:53.294 11241100x8000000000000000104147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.294{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt.tmp2023-01-17 10:38:53.294 11241100x8000000000000000104146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.294{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-widevinecdm\4.10.2557.02023-01-17 10:38:53.294 11241100x8000000000000000104145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.294{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\gmp-widevinecdm2023-01-17 10:38:53.294 23542300x8000000000000000104144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.285{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.285{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.285{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.276{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.276{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.276{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.276{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=6D99302CE01F3EC62862FE1B25C08E94,SHA256=0A0195C766BDF936738A1CBEF122749715FC0525A7B09F4F8F4049FEA0D6CE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.276{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=552CF8039875D1F0B8C96805DFDA6C8C,SHA256=D10735371A651C9D53AE3CB22D89B8373D8654612DCFD821CAD62E5ACB66DE86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.239{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddon-12023-01-17 10:38:53.230 23542300x8000000000000000104135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.239{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddon-1MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.230{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddon-12023-01-17 10:38:53.230 11241100x8000000000000000104133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.212{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.212{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.212{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\82C47FA9F5F29D08908329A836215460FD85B37B2023-01-17 10:38:53.212 23542300x8000000000000000104130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.194{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.194{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.194{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.194{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.194{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.194{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.185{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=CD040312E838D36064170286EC566AEF,SHA256=E670087A8616553128B5323FF502D4C876767D602DB2E811AA0516E1FA54AA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.185{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=3B0210F2B2954ED581CD4F46CFA17466,SHA256=F23DB8E3C2123EEE240D1CA6D50FDCB61D7D5F9648D4BB3F5413C83C4BB68B49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.134{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\788AFE76163869DFA4D54FAD568DBBD3356EB61E2023-01-17 10:38:53.134 11241100x8000000000000000104121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.029{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1A727D73A15D1377200A112552C6F6FC162A45EB2023-01-17 10:38:53.029 11241100x8000000000000000104120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.006{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:38:53.005 23542300x8000000000000000104119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.005{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.005{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:38:53.005 23542300x800000000000000070955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:54.340{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CD02661E452C58ED38CF001C159021,SHA256=09DBA191180FB457C92F30D3EDB5E49B8182C11DED9B727258B1A67842DD5978,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.993{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.984{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.984{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6C1C610BCD6C460B037FD2C1E8D40FE1713647E72023-01-17 10:38:54.984 23542300x8000000000000000104322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.976{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.975{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.974{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.972{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.942{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=A88EB8AD4A370246480BC05ECE015E1C,SHA256=2AFB7788D9009441A1C02409B58BD076F37819C05EA22092BAD5B0936BB25E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.924{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=D94AC65A35E9AD62CD20D2C492A693C7,SHA256=35402C775A603D8B177F0A83C9927335B0068225B3B588790829026A8AEE63D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.822{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm2023-01-17 10:38:54.822 11241100x8000000000000000104313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.822{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal2023-01-17 10:38:54.822 11241100x8000000000000000104312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.704{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\security_state\data.safe.bin2023-01-17 10:38:54.704 11241100x8000000000000000104311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.468{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.468{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2866C384C16051E7DAF10F72426FDCD2,SHA256=DB7BE8B917DD151F3276E6BB5265947459FA0BAA0BAB50B1D0134E70368AB616,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.467{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.467{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 11241100x8000000000000000104307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.458{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6BEE6670C6D666A2452C666F31211576E3BA5A3E2023-01-17 10:38:54.458 23542300x8000000000000000104306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.450{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.440{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.440{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.440{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.404{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2023-01-17 10:38:52.499 11241100x8000000000000000104301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.404{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2023-01-17 10:38:52.499 23542300x8000000000000000104300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.395{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=03A5F5F33F2A75E4A67DF8891F005560,SHA256=36FD31AC54C0D3748C3075D242154650593735BC8F2EF5D5366772E8DED93A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.358{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=AA1B92C618D4C65EF87901EDE2267B95,SHA256=375D70D2351F65B296CF891AC7F70B83D56F943D8C4AF2532685E1F1983569F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.226{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local53933-false74.125.155.135iad30s37-in-f7.1e100.net443https 11241100x8000000000000000104297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.168{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:38:53.005 23542300x8000000000000000104296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.168{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.168{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:38:53.005 11241100x8000000000000000104294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.116{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\63F48F4F7F1BC3195F5AB831F9794F3DBA2D30E12023-01-17 10:32:25.959 11241100x8000000000000000104293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.103{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FDCBD0EBA49D09991FB88DD3CF679B149B1CD6692023-01-17 10:38:54.103 11241100x8000000000000000104292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.083{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE3353F09D8D0F506D39FA70CA75608310C944232023-01-17 10:38:54.083 354300x8000000000000000104291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.166{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64612-false142.250.190.35ord37s33-in-f3.1e100.net80http 354300x8000000000000000104290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.150{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53932- 354300x8000000000000000104289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.127{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64611-false74.125.155.135iad30s37-in-f7.1e100.net443https 354300x8000000000000000104288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.116{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53017- 354300x8000000000000000104287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.115{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53011- 354300x8000000000000000104286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.087{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local51660-false142.250.191.142ord38s29-in-f14.1e100.net443https 354300x8000000000000000104285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.002{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64610-false142.250.191.142ord38s29-in-f14.1e100.net443https 354300x8000000000000000104284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.985{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51659- 354300x8000000000000000104283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.984{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63117- 354300x8000000000000000104282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:51.982{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64016- 11241100x8000000000000000104281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.048{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B310F9B15AC2079817E2A947C405D9A359E3CB592023-01-17 10:38:54.048 11241100x8000000000000000104280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.021{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\70402EC1672A4A6841905A79BE84325F931CC52D2023-01-17 10:38:54.021 11241100x8000000000000000104279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.006{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\broadcast-listeners.json.tmp2023-01-17 10:38:54.006 23542300x800000000000000070956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:55.408{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB7D7E53B0847329208414620FC3838,SHA256=B795803CB755F7AC883BB8DA2016994611683E78F59421F7EA61CF1996B6674D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.994{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6B280FD83429C1AF43F9139A75C2ADAA7F0147172023-01-17 10:38:55.994 11241100x8000000000000000104654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.993{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\20E7CE4966D1B87CE608960206ED8E9160BFAAD32023-01-17 10:38:55.993 11241100x8000000000000000104653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.993{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CF5DDB16E79EE3DAD16A88F996AD923941B463B22023-01-17 10:38:55.992 11241100x8000000000000000104652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.992{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\18C71A099C4366FDE12E03E87FE7B4B11FF297772023-01-17 10:38:55.992 11241100x8000000000000000104651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.991{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BBCA5FD40B85F254236EA7DCA2D78B528C0ADB1D2023-01-17 10:38:55.991 11241100x8000000000000000104650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.991{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\18C7E586E8727922825585A31AA2E27CED80FC082023-01-17 10:38:55.991 11241100x8000000000000000104649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.990{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4DD6599A899DC39DF17864D06CDA34D60D2F385B2023-01-17 10:38:55.990 11241100x8000000000000000104648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.989{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CE81DAAC178066C7D9D9ECF5871D9861F6DC96F02023-01-17 10:38:55.989 11241100x8000000000000000104647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DB519BB785BC9266FD9AB3C3ACB438310C1EC7DB2023-01-17 10:38:55.971 11241100x8000000000000000104646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.971{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C287EE76FCFB88F4674E98BEB06320D126EB6AD2023-01-17 10:38:55.971 11241100x8000000000000000104645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.970{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\06683D677288764CF43FF0B6BCC00D8FC8946BCB2023-01-17 10:38:55.970 11241100x8000000000000000104644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.970{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\455858B8D5D679F81ED78BF96F8AE085664327342023-01-17 10:38:55.969 11241100x8000000000000000104643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.969{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C16C318765E2FF4035E8D5376139F72A0226B11E2023-01-17 10:38:55.969 11241100x8000000000000000104642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.968{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7A8D4678B6A9DC484467357D5E2D4D7CB1524F652023-01-17 10:38:55.968 11241100x8000000000000000104641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.968{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FE314736FAF0C587C0B94AFE5C79D8AC8B496CD52023-01-17 10:38:55.967 11241100x8000000000000000104640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.966{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8D63CCE71296A849D56109CD24ED2CB33803A4352023-01-17 10:38:55.966 11241100x8000000000000000104639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.941{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CD61EC0654B505D4F87733C048F95F56DEE7EED72023-01-17 10:38:55.941 11241100x8000000000000000104638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.941{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5CBC0F4A918DF89631FB6CFEA43E440C4CD4D042023-01-17 10:38:55.941 11241100x8000000000000000104637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.941{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D0D253051B20E9A5881625622BB9ECD0789BDDD72023-01-17 10:38:55.941 11241100x8000000000000000104636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.941{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7197033CA81CBE19951A4FFC62C941CC923AE1B82023-01-17 10:38:55.941 11241100x8000000000000000104635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.941{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D989AF4571059BAFE04DE09D19B911AE203BE99D2023-01-17 10:38:55.941 11241100x8000000000000000104634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.941{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\52D21BA92056699A4C5664F4D0D55756CF2D367F2023-01-17 10:38:55.941 11241100x8000000000000000104633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.941{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C5699007DB96D3E5BE3DF1A635610911A8B496052023-01-17 10:38:55.941 11241100x8000000000000000104632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.941{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\40395869F72EA19247AF487610F9A7564E4B1B3D2023-01-17 10:38:55.941 11241100x8000000000000000104631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BF3D5E9E47C232241B3F42E141B443A927D07F622023-01-17 10:38:55.923 11241100x8000000000000000104630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BBF71EB67BE7D8A8071FFCE1D8513A35AEA90C3D2023-01-17 10:38:55.923 11241100x8000000000000000104629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0B95C8EA6CB88E4A1E9E12042EAB384F8D61AA792023-01-17 10:38:55.923 11241100x8000000000000000104628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DBA3BF51F2D6997C752A07E98BF71F827EE9D68B2023-01-17 10:38:55.923 11241100x8000000000000000104627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F15311EFDA1E6B1C71A65847CF468B014240F5752023-01-17 10:38:55.923 11241100x8000000000000000104626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BBA3B62C6926A57DE7109C39EF9E1ABEE487F7F32023-01-17 10:38:55.923 11241100x8000000000000000104625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B20FBE2F65F2F64F708C240DBBD865F6AB63981F2023-01-17 10:38:55.923 11241100x8000000000000000104624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.923{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\109C91CC3BC3F55207692F881F19BDA1D72E42B32023-01-17 10:38:55.923 11241100x8000000000000000104623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\29008D728ECE9AE6E0DE79EACF41DFE467C357002023-01-17 10:38:55.896 11241100x8000000000000000104622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DE18FFCA5744F69BF64DC95137610156B1B0078C2023-01-17 10:38:55.896 11241100x8000000000000000104621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\55B037B3DC76E6FB6FABA8071583F093ACE6FF6A2023-01-17 10:38:55.896 11241100x8000000000000000104620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\22E60B73C813149E64A2B6B56AB81D65985D56EB2023-01-17 10:38:55.896 11241100x8000000000000000104619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\99391F86B988609F365A00F547F98C08605ABE562023-01-17 10:38:55.896 11241100x8000000000000000104618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DE6C353CD4BC00CFD64895543F28B8AF6F521F192023-01-17 10:38:55.896 11241100x8000000000000000104617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5AD12BAD1835C7A85475E478A2A89E126ABEC43A2023-01-17 10:38:55.896 11241100x8000000000000000104616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.896{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F6DF2CB3F830026B613A39C9AA99A6A6BE1594B2023-01-17 10:38:55.896 11241100x8000000000000000104615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\92E1C0F8C47C885B1D2C8B58F6038BE64A5AB2352023-01-17 10:38:55.878 11241100x8000000000000000104614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A24E4E498420DCD2EA413C0764377845FB7228422023-01-17 10:38:55.878 11241100x8000000000000000104613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CFF4A8684120F0C0C948F5CE5D9FB1D80DBA5B832023-01-17 10:38:55.878 11241100x8000000000000000104612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\31E3E4DCE240011209D1E72EDE58E1103F2F0C342023-01-17 10:38:55.878 11241100x8000000000000000104611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9BD86341CDDE6BA8729539AA7FBDDC216E9F58692023-01-17 10:38:55.878 11241100x8000000000000000104610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\90663663E045930BED700E1C6339DA70E891125B2023-01-17 10:38:55.878 11241100x8000000000000000104609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\134CDA5AADAAFECEF53EC7D8BB259455C7EF077D2023-01-17 10:38:55.878 11241100x8000000000000000104608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.878{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8CC1C33062F0B86BD0F3F0ED3EED9613DD086ABB2023-01-17 10:38:55.878 11241100x8000000000000000104607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2EAAAB018E2D0A82F9117E0C5F8A1949056010D2023-01-17 10:38:55.858 11241100x8000000000000000104606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F5C21D96FCE9A87A7104D075F32EFB305069850F2023-01-17 10:38:55.858 11241100x8000000000000000104605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3A24CA9634BE7C79FD1B7893AFB6ABFF9B324F102023-01-17 10:38:55.858 11241100x8000000000000000104604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C922C927EA3C61753ADC19DD32F0DC0C57BA6B412023-01-17 10:38:55.858 11241100x8000000000000000104603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9B4EFFC810B4CEB52FA1C45AF35CC590922A96E62023-01-17 10:38:55.858 11241100x8000000000000000104602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\40D264EBE5CC2D125402C09D79F33377A3C657132023-01-17 10:38:55.858 11241100x8000000000000000104601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.858{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\88531DFEC392E33C9346CF305D42EF2B28AA00822023-01-17 10:38:55.858 11241100x8000000000000000104600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.857{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BA2DAE13856039E41EC759AA0BB1E51674271A762023-01-17 10:38:55.857 11241100x8000000000000000104599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\60C01BD09C4C2A4B4AD9129F2308B3DD0F0C9DE42023-01-17 10:38:55.834 11241100x8000000000000000104598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9F00B16A6F728A21F91AAA94548220ADD83B345D2023-01-17 10:38:55.834 11241100x8000000000000000104597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CB1080EDCC82BF0FB11A6023E173E34E0E5D6BF32023-01-17 10:38:55.834 11241100x8000000000000000104596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3AA375267156E6A6D6D729F5DB33F9B6AA9997F92023-01-17 10:38:55.834 11241100x8000000000000000104595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\550C775D0AD0226782F0029BBCEAB27FC559C44E2023-01-17 10:38:55.834 11241100x8000000000000000104594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2F05D0D72060F7E89E88B58FEDD543896330035A2023-01-17 10:38:55.834 11241100x8000000000000000104593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4648D9E8F8B16D0F6D2E7E546248887B288412F02023-01-17 10:38:55.834 11241100x8000000000000000104592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.834{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\45B2624F73129284616721127078DEF66A08E11E2023-01-17 10:38:55.834 11241100x8000000000000000104591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.816{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\80541FEF2F2263D125BA60D892846A1F06A804E42023-01-17 10:38:55.816 11241100x8000000000000000104590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.816{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1ABB119F18F11261046E437DA5FE40A6D240F6282023-01-17 10:38:55.816 11241100x8000000000000000104589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.816{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\283692340D4E6C6869C73F301FD64DC2ADD488DD2023-01-17 10:38:55.816 11241100x8000000000000000104588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.816{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5C418F8A060099E6B7FE06E55A1E6A6E6E48AD7B2023-01-17 10:38:55.816 11241100x8000000000000000104587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.816{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\82F606B93142FD354271675B312CA65D121A4FBA2023-01-17 10:38:55.816 11241100x8000000000000000104586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.816{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A848DCBA87A6482922002DFFC74E629C04D754952023-01-17 10:38:55.816 11241100x8000000000000000104585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.816{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E9FB697B9604D812354E19DDC125C122E2874B12023-01-17 10:38:55.815 11241100x8000000000000000104584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.815{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\339B16AA80E3F282CDD810DEA83EB03351B7E3E52023-01-17 10:38:55.815 11241100x8000000000000000104583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.806{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.806{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B529521ECA1078C078570822EE26BB9F,SHA256=E60FB8BA602BB25B70E90B93FE6567782280F210DB313220BCDA97F8992466F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FA71AE828CF1BF4480CE4AC59DB362A82BCAB22C2023-01-17 10:38:55.796 11241100x8000000000000000104580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D2A63AC4C139255F56830573E2C3B9318678D6F02023-01-17 10:38:55.796 11241100x8000000000000000104579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\529B3A3A359B26E99AD302EBDDC2D2C02187406E2023-01-17 10:38:55.796 11241100x8000000000000000104578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\35316ABA6FC59416707E43F707954B0B634F2DF82023-01-17 10:38:55.796 11241100x8000000000000000104577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E1CF0D987C0F8C7FF52485ED1EC85477DE38CA592023-01-17 10:38:55.796 11241100x8000000000000000104576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.796{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4102AE6CF8663C25B5F211EDBAF6C3BB52FF05572023-01-17 10:38:55.796 11241100x8000000000000000104575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.787{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\913C420590EECECCD5EA0361B9660881E3E712522023-01-17 10:38:55.787 11241100x8000000000000000104574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.787{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4E39A47067318AEA7FB4E2CA33B019FF217B4F792023-01-17 10:38:55.787 11241100x8000000000000000104573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\175E82CE2BD6CA275B8487E79CFB85EB98D1A6042023-01-17 10:38:55.769 11241100x8000000000000000104572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2BD4A465CC1CAA97C59EF792A51D84EC74B072D42023-01-17 10:38:55.769 11241100x8000000000000000104571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\367887CF5BB6D172CDF3C4739512E09FD17343AD2023-01-17 10:38:55.769 11241100x8000000000000000104570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B3A99981E2C5741C3FDFD1645BCD9B53C5AE2B372023-01-17 10:38:55.769 11241100x8000000000000000104569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C45B57257E8DD92C0C4DB98DC129A7149E0EAB32023-01-17 10:38:55.769 11241100x8000000000000000104568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\09469CA17472CF0568267C2C04375B12FA5B51682023-01-17 10:38:55.769 11241100x8000000000000000104567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E52EEA111714D9122E06EF4B0D4FD218BCD4DF3F2023-01-17 10:38:55.769 11241100x8000000000000000104566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9F75E9D35CF9B302C623EC4B9B5E0DF1C13A2E72023-01-17 10:38:55.769 11241100x8000000000000000104565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.753{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EB1B7E5C56C5D31744820C504B34FB78A35709302023-01-17 10:38:55.752 11241100x8000000000000000104564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.752{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\90418059FFB130A8392048D095CEC5A8396A69852023-01-17 10:38:55.751 11241100x8000000000000000104563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.750{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\872D83EE9FA189E66ACEBED35E69540F7CBD24872023-01-17 10:38:55.750 11241100x8000000000000000104562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.750{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\69E0D9D5DA24560D0D4690CA5E537F97D3FB03AE2023-01-17 10:38:55.741 11241100x8000000000000000104561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.741{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B019A978C251318C3FB91F6A476955816C9DE18D2023-01-17 10:38:55.741 11241100x8000000000000000104560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.741{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2DB70BF89F32C63605EC731B028F0B5937A6C2512023-01-17 10:38:55.741 11241100x8000000000000000104559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.741{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A77D604080DDB9FD72FFD9AE728FCDF84A704B152023-01-17 10:38:55.741 11241100x8000000000000000104558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.741{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\05420550A65BA7C2E90FAEB27F8E691D3CA7CD002023-01-17 10:38:55.741 11241100x8000000000000000104557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4EE04E518E7B1DA4AB80022C00EAD2BFA23052952023-01-17 10:38:55.723 11241100x8000000000000000104556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F9F99B83E591C6B8DAC623D69739D95345B7BED92023-01-17 10:38:55.723 11241100x8000000000000000104555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AB526F3E59D6299AB49993B7666AE34F477B98792023-01-17 10:38:55.723 11241100x8000000000000000104554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\68C731338A001C8F0FB57CA149DD0193F8BCB5282023-01-17 10:38:55.723 11241100x8000000000000000104553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E36E271D59D4378CBCB1DCCE7E8AD32147BF64062023-01-17 10:38:55.723 11241100x8000000000000000104552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\76CF42F827BFE9938EA02870F2AD68BD19DCA8AE2023-01-17 10:38:55.723 11241100x8000000000000000104551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F60B3ECA8194D0E3FA85872D2BCE4F99CF7AF3202023-01-17 10:38:55.723 11241100x8000000000000000104550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.723{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FCCA7D06E2F305D7F7384D9F6A1179FF43FD1D3B2023-01-17 10:38:55.723 11241100x8000000000000000104549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.705{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D162F12678516134E12331F0520E5D4FC4E65E8E2023-01-17 10:38:55.705 11241100x8000000000000000104548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.705{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3F8D5EBC77432AE7BA07F8F6476E1446C0D33F182023-01-17 10:38:55.705 11241100x8000000000000000104547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.705{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CCBCB29DD91111BF7EB2BB86CBDFD6BD880548DF2023-01-17 10:38:55.705 11241100x8000000000000000104546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.705{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EA592F31293484213B84319C004DF958BE577F612023-01-17 10:38:55.705 11241100x8000000000000000104545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.696{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1F6CDD0345B89F6C23E8C0A4966107A106991ECB2023-01-17 10:38:55.696 11241100x8000000000000000104544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.696{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ACA49CC857DB79C6AD1331EA93F687BB4E3421A32023-01-17 10:38:55.696 11241100x8000000000000000104543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.696{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E29AF4A09FA9946F72C0FA28845B8FF847FE0E562023-01-17 10:38:55.696 11241100x8000000000000000104542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.696{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F5805DFDD6175880D37B9C19FCD56C9D7ED6C9DB2023-01-17 10:38:55.696 11241100x8000000000000000104541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\95D4C81BE5ED1990689C50432CFB0974B149130D2023-01-17 10:38:55.678 11241100x8000000000000000104540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2D788B71BCB582F1F068AD87A406E55C34F1EBBD2023-01-17 10:38:55.678 11241100x8000000000000000104539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5914802B9C08ED79BBF66929610B58D678764CF2023-01-17 10:38:55.678 11241100x8000000000000000104538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C77790A86DD8F240B5554E2844463660FFD9EFA22023-01-17 10:38:55.678 11241100x8000000000000000104537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6C4788C6DFA3CDBC2EFE347E2B213C05969CB6A22023-01-17 10:38:55.678 11241100x8000000000000000104536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F768BC8DE61623BBD6E5DE70C22C76E24465C9492023-01-17 10:38:55.678 11241100x8000000000000000104535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CE4F8207E28741F9410DB6B2B309E9EC827FE30F2023-01-17 10:38:55.678 11241100x8000000000000000104534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.678{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BDFAEAA06BE63EC1AB527BE298A716258003A03B2023-01-17 10:38:55.678 11241100x8000000000000000104533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\299342193A337E8AF32D247C8CCE9B140D3C267A2023-01-17 10:38:55.658 11241100x8000000000000000104532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FF418E54155E702CF6CCD217C5A0D51977362DC02023-01-17 10:38:55.658 11241100x8000000000000000104531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3B484C550957B11A4932B244FB5B8789C95BC9852023-01-17 10:38:55.658 11241100x8000000000000000104530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E549DADF7379AA81B7AC1A79F5F6EC7A65232C052023-01-17 10:38:55.658 11241100x8000000000000000104529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D166D6B17B4331687F8AF27E7EF9470069D140A2023-01-17 10:38:55.658 11241100x8000000000000000104528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5986ED3E4E93CDAF023CFDD9573E20379AFF80862023-01-17 10:38:55.658 11241100x8000000000000000104527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.656{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\90FB4C5121270DBFA98B4679693819B3412BFBAF2023-01-17 10:38:55.656 11241100x8000000000000000104526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DC046DD089A36BB7437BB8B37B87AD690082335F2023-01-17 10:38:55.654 11241100x8000000000000000104525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E177FC7EA464EEE2B938AD21ED0675184F4B375A2023-01-17 10:38:55.632 11241100x8000000000000000104524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\62E56A00279C7081A9E5D56532617E15877E5E8B2023-01-17 10:38:55.632 11241100x8000000000000000104523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9045C572EFAED1A0E8C2D8E85D115180F7937CA92023-01-17 10:38:55.632 11241100x8000000000000000104522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F75908F63100E13ED2CEADCA2E346364351CEACB2023-01-17 10:38:55.632 11241100x8000000000000000104521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F3DEE6D718860C8970AC1880913671B2EF045C6B2023-01-17 10:38:55.632 11241100x8000000000000000104520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0C59849EC46443B38522D5D4ABBE57B1E482A22C2023-01-17 10:38:55.632 11241100x8000000000000000104519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\00099279F4E23512F2798630BF151B609CB937932023-01-17 10:38:55.632 11241100x8000000000000000104518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.632{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3A8215CABCD1C9A74B46DC462255C319E9BF333E2023-01-17 10:38:55.632 11241100x8000000000000000104517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ACA8CCA8BEB2D9AF256AECD63AE5B89565990EB72023-01-17 10:38:55.614 11241100x8000000000000000104516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\49BC68A183135AF88B064046D5E87564BC2C0ABD2023-01-17 10:38:55.614 11241100x8000000000000000104515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BC63EA977D848CD6D872E7EE1D16BEE10A7571332023-01-17 10:38:55.614 11241100x8000000000000000104514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D742B1E3ED05CD0DF8FA16E165F12CFDBFD88CE32023-01-17 10:38:55.614 11241100x8000000000000000104513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.605{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C7FF6CDA722F6CAE12B250B27A915993277C1A22023-01-17 10:38:55.605 11241100x8000000000000000104512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.605{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D3F0958FA52510210968A9205BC710B5B960E0122023-01-17 10:38:55.605 11241100x8000000000000000104511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.605{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\84D718A6558C00525279B45F34100F86CBF56AF82023-01-17 10:38:55.605 11241100x8000000000000000104510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.605{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A742DC9A902B1F5C5A19B9F5BE1BFCE394E958AF2023-01-17 10:38:55.605 354300x8000000000000000104509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.264{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64614-false34.98.75.3636.75.98.34.bc.googleusercontent.com443https 354300x8000000000000000104508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.251{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62047- 354300x8000000000000000104507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.210{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64613-false35.201.103.2121.103.201.35.bc.googleusercontent.com443https 354300x8000000000000000104506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.198{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62622- 354300x8000000000000000104505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:53.184{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local62426- 354300x8000000000000000104504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.540{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55684- 354300x8000000000000000104503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:52.539{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49372- 11241100x8000000000000000104502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D687176E41BC91DCD3DB2CC9ADA73843F4D150192023-01-17 10:38:55.587 11241100x8000000000000000104501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5AF7E109F269F8B5D4C6C26F10E10E2887BBA3632023-01-17 10:38:55.587 11241100x8000000000000000104500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C97D241727CA326E2297CB6F48129F4BFD7AD2A62023-01-17 10:38:55.587 11241100x8000000000000000104499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\29BA41D8214B3B727DE9E1941E3DEAB68A2586272023-01-17 10:38:55.587 11241100x8000000000000000104498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A9DA847FF32C77404AD6D103CB46130E61ABC5F42023-01-17 10:38:55.587 11241100x8000000000000000104497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\798B37AD3CEFEDF4E10071D99F1A9DF9783BBC672023-01-17 10:38:55.587 11241100x8000000000000000104496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7FD77CDB788D7CDB7D1FBC1F4865B22E63303BC12023-01-17 10:38:55.587 11241100x8000000000000000104495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.587{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E43BD4A165A6DC9EC041B61EC682CA96908F16682023-01-17 10:38:55.587 11241100x8000000000000000104494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\85BB1071E69330538A2C0ABFE17683F293EB5EEA2023-01-17 10:38:55.558 11241100x8000000000000000104493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7BB7FF92B4049EC3D41B507EFBBFCC86017B7B4A2023-01-17 10:38:55.558 11241100x8000000000000000104492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\643B99E0D2C8978DD51B7AA46BC611B5A016BF7C2023-01-17 10:38:55.558 11241100x8000000000000000104491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6F2A602D47DBEE186A84D74E58F8180F1C748CD22023-01-17 10:38:55.558 11241100x8000000000000000104490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\43A86B959D713C6A236C00B5FB0FCFDBA76FBDE62023-01-17 10:38:55.558 11241100x8000000000000000104489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1C04AA6640860CF0099542D4A32C87249B686C122023-01-17 10:38:55.558 11241100x8000000000000000104488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\90476FE9DB28DFF73D61697C3FE1069C2B8022812023-01-17 10:38:55.558 11241100x8000000000000000104487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.558{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\17EF70E9C74130081CB7DFEE7A702BA050F421732023-01-17 10:38:55.558 11241100x8000000000000000104486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.541{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E88C33B606C691DE166303A05F5A0D9C42037C52023-01-17 10:38:55.541 11241100x8000000000000000104485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.541{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1DCEF1535F432CEBA5351D5E7562441C001A32522023-01-17 10:38:55.541 11241100x8000000000000000104484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.541{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5F0BFDA3BE13F8F0CFFD1A7A93CFD81C8E3C1BE52023-01-17 10:38:55.541 11241100x8000000000000000104483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.541{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\130931B75BC5E9D2D041A130FB212AD5F9C868FC2023-01-17 10:38:55.541 11241100x8000000000000000104482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.541{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\105648347EEFB0C51739D31BF52D233147D6C9912023-01-17 10:38:55.541 11241100x8000000000000000104481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.541{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6257427D25377B4A61D2E3E34AC8A906EF2C8BBC2023-01-17 10:38:55.541 11241100x8000000000000000104480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.532{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\65802D66119443F6D86ADE58D402CA6C929523052023-01-17 10:38:55.532 11241100x8000000000000000104479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.532{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\203A5441B501084C4744578D2394B00D2C677C592023-01-17 10:38:55.532 11241100x8000000000000000104478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8B293089BBDB5C9A6428F853D6DBFFF8012562D42023-01-17 10:38:55.514 11241100x8000000000000000104477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E0AAEB49B6B688E85C20F5B5B0F2727D31DA57422023-01-17 10:38:55.514 11241100x8000000000000000104476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\491066EDF50B1BDCD553A228E1383907D6B7A7BD2023-01-17 10:38:55.514 11241100x8000000000000000104475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\24092C5DF77303D8AA3F0B6950D3BAE4CAFBFD312023-01-17 10:38:55.514 11241100x8000000000000000104474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\97AE364FF5C332419B30C036A61C14F18A38F7962023-01-17 10:38:55.514 11241100x8000000000000000104473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96C7C59AE3C886591C88B021ECDE5C7,SHA256=B3250D05A4D985B7156CEF6477FE8724C64C43813FF1DA543EFFDDA2D01C8276,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C18035A39E7DA3C9654E6770A54A8195BB6EBA42023-01-17 10:38:55.514 11241100x8000000000000000104470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D3BB958A1C04EE708E96A02D3091DC084378A002023-01-17 10:38:55.514 11241100x8000000000000000104469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.514{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3F54976E9157D23EBD6570D7951FA044F2E053A22023-01-17 10:38:55.514 11241100x8000000000000000104468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.496{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C688994B1E3A02B98C23917C96392B8BC985A9BA2023-01-17 10:38:55.496 11241100x8000000000000000104467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.496{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B67F3D7D8EB34357D5A51CE3E6428F5E9BAE8C12023-01-17 10:38:55.496 11241100x8000000000000000104466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.496{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1769B1B449E3E018E1763810F20419B5CC618AA02023-01-17 10:38:55.496 11241100x8000000000000000104465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.496{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\06055E8787A249CB2536658098CE760742A08CA82023-01-17 10:38:55.496 11241100x8000000000000000104464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.496{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\47381443ABB54712D767DC16158167C14861CD482023-01-17 10:38:55.487 11241100x8000000000000000104463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.487{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\66254D0FEC0E729ADBA1F7E8839C58898AEC5BF42023-01-17 10:38:55.487 11241100x8000000000000000104462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.487{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\93CA3C2A58704AE91467E088A68F6934F138C4B42023-01-17 10:38:55.487 11241100x8000000000000000104461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.487{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3F7EF41EF2EF46CF44DB1E01F68E46FC818DF7512023-01-17 10:38:55.487 11241100x8000000000000000104460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\11DA06EBD118104A177A2C6E9052898661BAB9502023-01-17 10:38:55.469 11241100x8000000000000000104459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\249C0EBA30BE97EE15F9BE751A4FC33939E1AA5D2023-01-17 10:38:55.469 11241100x8000000000000000104458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B7A6242AE6E3111D35E083EFED2E609F0D74BCB12023-01-17 10:38:55.469 11241100x8000000000000000104457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D9F2E4D11708511CA1930354EBF5D453B345E8722023-01-17 10:38:55.469 11241100x8000000000000000104456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2237263BCD64E0F8BB63E6177D8480E4D9C99CC2023-01-17 10:38:55.469 11241100x8000000000000000104455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\67F67B2DC1A853831173BD32DD9FDCFB31ACE8A22023-01-17 10:38:55.469 11241100x8000000000000000104454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3CF405FEDE8F114E0D7C89B396976C561FED90812023-01-17 10:38:55.469 11241100x8000000000000000104453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.469{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F6919E9CD8698921392B393061C37FB25DCAE02C2023-01-17 10:38:55.469 11241100x8000000000000000104452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.454{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\151DCECCF2E50C560679896B98032102086E91132023-01-17 10:38:55.454 11241100x8000000000000000104451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.453{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E54C503BEDAC1581B5F578C12F526CCBB170C15E2023-01-17 10:38:55.453 11241100x8000000000000000104450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.452{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\819B6730A6B1043BC531F5C2DB3B31D3B21D34912023-01-17 10:38:55.452 11241100x8000000000000000104449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.452{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BA75A171BBEDDAE64210F73BD17DF3BE7020311A2023-01-17 10:38:55.452 11241100x8000000000000000104448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.451{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\56B149B1EBF477908E1CB79FD18D1029D0E89A2F2023-01-17 10:38:55.451 11241100x8000000000000000104447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.451{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AE134BBADA814FC6EBEDA74939D310F5C534BF7B2023-01-17 10:38:55.451 11241100x8000000000000000104446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.450{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DF5B444F8AD97CE2A935E7B4016CC20054B22BD32023-01-17 10:38:55.450 11241100x8000000000000000104445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.450{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D918350B9795432D902E52A77E03387DD2CCD19A2023-01-17 10:38:55.441 11241100x8000000000000000104444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.432{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4B2748C94FA3619DBC2A1A5919B1536F81202E482023-01-17 10:38:55.432 11241100x8000000000000000104443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.432{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BCF4AEB970E4A0EEC506ABEDCC27096B1E9E59072023-01-17 10:38:55.432 11241100x8000000000000000104442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.432{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ADD9821BCE688665B567C98A15563687B5D806DE2023-01-17 10:38:55.423 11241100x8000000000000000104441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\43DFA66D30E0AC096CE99D8DE70F7B721B5150942023-01-17 10:38:55.423 11241100x8000000000000000104440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AD451ACA76808A4FB1B63A69A856E5C09ECBC9952023-01-17 10:38:55.423 11241100x8000000000000000104439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\792A2DA10AB472D648D73F44C16F29C7674F48D92023-01-17 10:38:55.423 11241100x8000000000000000104438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2F12BA4FBB3CBC67BD68B9083B5DDF6FD95A9A2C2023-01-17 10:38:55.423 11241100x8000000000000000104437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\60B2A9602B6CD2840BFF1180B452A83B69D8C0312023-01-17 10:38:55.423 11241100x8000000000000000104436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.405{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C0B24B467504AD785EF033A11B374619EF84C5E42023-01-17 10:38:55.405 11241100x8000000000000000104435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.405{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F08AB2BEE20A26B42473B7EC360F421D1EE183242023-01-17 10:38:55.405 11241100x8000000000000000104434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.405{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E0A7FCCBFF94410E2D481A7DE777E592C67D4042023-01-17 10:38:55.405 11241100x8000000000000000104433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.405{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FAA5DE3E9BF935B8A4D553C75F82FEC59EE111E72023-01-17 10:38:55.405 11241100x8000000000000000104432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.405{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C65405A0CC2DB36062A84CC3F485208B39A997C72023-01-17 10:38:55.405 11241100x8000000000000000104431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.405{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9BCB0EFBBFB5CB5C4BAE2F361169E07B5604F4D82023-01-17 10:38:55.405 11241100x8000000000000000104430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.396{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1F001ABC732598300E8297AC686A75B32E5186EB2023-01-17 10:38:55.396 11241100x8000000000000000104429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.396{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DB022C3D5E65699F640D8DEA20EE25904D318C2E2023-01-17 10:38:55.396 11241100x8000000000000000104428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F84B6A34B56CEC15C1942664FFAB6B65E0D2588F2023-01-17 10:38:55.378 11241100x8000000000000000104427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\74FAA831A5AD1348DE267780D4C0C2F10CBBEC392023-01-17 10:38:55.378 11241100x8000000000000000104426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\54DC5DC926ACFD0F0401949DB5CBCA5383CB6B772023-01-17 10:38:55.378 11241100x8000000000000000104425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3ABE6035282CF9D17DCB0D733614ACA8C2C8CF592023-01-17 10:38:55.378 11241100x8000000000000000104424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D54DA76E598693FED6A7F29197EA9CFAFC48C3862023-01-17 10:38:55.378 11241100x8000000000000000104423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8BEF30DAF9E2434EED4B7575BCD80C38A5A19D6A2023-01-17 10:38:55.378 11241100x8000000000000000104422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4B90DDAEEEEA60534FA3D5F56046728FBA5F49892023-01-17 10:38:55.378 11241100x8000000000000000104421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D02765262FF82856F6B6D6BFE3A3C0ADFDE1F3782023-01-17 10:38:55.378 11241100x8000000000000000104420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CF675741C1EFEC8A3183DA1A78119C33FC10872A2023-01-17 10:38:55.358 11241100x8000000000000000104419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8221A41DAAFA532836D3E8EDED1AAC94D3955D162023-01-17 10:38:55.358 11241100x8000000000000000104418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8D14B7D0EFC523B59E3933E14FE44FB72BECA8DF2023-01-17 10:38:55.358 11241100x8000000000000000104417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7150F4EBAFF6A9B3313A4538C93D17F0CC4D49952023-01-17 10:38:55.358 11241100x8000000000000000104416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1C071BEF2BB8DC67CE789498A903116EA0C85F0A2023-01-17 10:38:55.358 11241100x8000000000000000104415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7E1BDF2C04B6BB8E6516A288BE95B19B21D7828A2023-01-17 10:38:55.358 11241100x8000000000000000104414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.358{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8BF87BB7E13934F2648153F6F818CD2F93455F692023-01-17 10:38:55.358 11241100x8000000000000000104413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.357{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B9733F3DE80E43D56DFE3DC1FE77A9EF8264DF492023-01-17 10:38:55.357 11241100x8000000000000000104412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.340{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2895D329D9CDE4EEC4507C923E0791BB67DB775C2023-01-17 10:38:55.339 11241100x8000000000000000104411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.339{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DA05386B718D82B4F8C10CA4EFF547B6865C37432023-01-17 10:38:55.339 11241100x8000000000000000104410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.339{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7589846A4928998B49801C20A83DE33E66E13F8F2023-01-17 10:38:55.338 11241100x8000000000000000104409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.338{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5900EC362904C1176F9E26C94E22ABD34B7AC9112023-01-17 10:38:55.338 11241100x8000000000000000104408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.337{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FF9CB2BCE37DED64CF411113359886D2315B49122023-01-17 10:38:55.336 11241100x8000000000000000104407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.336{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F17B756097EA7730CD30B737575E8E035771440D2023-01-17 10:38:55.336 11241100x8000000000000000104406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.335{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A83086528D2C610B97ACE39364DF9611A9CD75C12023-01-17 10:38:55.335 11241100x8000000000000000104405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.335{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\748A6D21CAE584312DD1C1370AFEA70B0F7DDA502023-01-17 10:38:55.334 11241100x8000000000000000104404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9FAD54A82FE60014D7BB27E2D093F77FCD0C58E72023-01-17 10:38:55.314 11241100x8000000000000000104403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\814C06500F01028C31A455285E090F30795A42B92023-01-17 10:38:55.314 11241100x8000000000000000104402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8EEA81D3ADD1DB638DD9873EFEFE50F2C1801C762023-01-17 10:38:55.314 11241100x8000000000000000104401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\428CE5F79975B5B9386D888B4CCF43C4540267722023-01-17 10:38:55.314 11241100x8000000000000000104400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EA96E609B604DE6E32802827736E4E3FBF8968E12023-01-17 10:38:55.314 11241100x8000000000000000104399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5DC222A516928643F8ED46F83A0A0E72C9BCC5562023-01-17 10:38:55.314 11241100x8000000000000000104398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2917EC14A390EBF8C127F40BED1C8139E236DAD2023-01-17 10:38:55.314 11241100x8000000000000000104397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.305{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\136A8BD8034C58767248FD9FC2AD68ACDD18E0E82023-01-17 10:38:55.305 11241100x8000000000000000104396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\03A3284413E76AB9EF6155914780932B53A256642023-01-17 10:38:55.287 11241100x8000000000000000104395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\975E46E7351B1EE87766961010B1CE54A7E4C8F42023-01-17 10:38:55.287 11241100x8000000000000000104394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\555A30C7D621272EE74028365657A74C84F34F1A2023-01-17 10:38:55.287 11241100x8000000000000000104393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\406421EE1EA3752DE381837216A1D0EF0C69FDC32023-01-17 10:38:55.287 11241100x8000000000000000104392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6BCFEB3762E112D2542E34A8F05F88A9E4E3FB852023-01-17 10:38:55.287 11241100x8000000000000000104391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\42C578C60B0903411B144F4FE8F0AC15970BA12D2023-01-17 10:38:55.287 11241100x8000000000000000104390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\479A9C134706BBBD248F73FC995AF3AA265CFC1C2023-01-17 10:38:55.287 11241100x8000000000000000104389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.287{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F55A60E9F1F8DD35B32EA0A75C5D3CF3134EADEE2023-01-17 10:38:55.287 11241100x8000000000000000104388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8556D606FD4BEE6A330786F0D13730034C9436912023-01-17 10:38:55.269 11241100x8000000000000000104387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\49772358F4DE34914803BC63FB7BE9ACF152EF4D2023-01-17 10:38:55.269 11241100x8000000000000000104386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9942FA50700AE581E74B1EF8375742A1DE099C2F2023-01-17 10:38:55.269 11241100x8000000000000000104385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1C3C1AC31C2DD44A03ED7972A671B4E6ADB4B1612023-01-17 10:38:55.269 11241100x8000000000000000104384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D9C6AA59EA7D8B2A3C2A48F280106BCB8A099B772023-01-17 10:38:55.269 11241100x8000000000000000104383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9677086B2E58E223F0D97A570CC20DC20D6454702023-01-17 10:38:55.269 11241100x8000000000000000104382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.267{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3EF4C830618C1AC1F052A7FBFEDA72562B22CC752023-01-17 10:38:55.267 11241100x8000000000000000104381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.267{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\94725FF9FDD0C5DAB5B9C97AFC327D4639B0284A2023-01-17 10:38:55.258 11241100x8000000000000000104380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C74766ED8982122A06543B474EECF97518F25A172023-01-17 10:38:55.241 11241100x8000000000000000104379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2D657128D83916C0BBFBA3BC534493792CC45D712023-01-17 10:38:55.241 11241100x8000000000000000104378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F3BA046FA4A5BBBC7C850FA07BC8C22F2A141692023-01-17 10:38:55.241 11241100x8000000000000000104377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DF97E7919C55C5D67A31234C6D0022D69EC4E38A2023-01-17 10:38:55.241 11241100x8000000000000000104376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\077083EC3293E9ED7F1E29EB300DE3DC579017EC2023-01-17 10:38:55.241 11241100x8000000000000000104375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3B88C79E6EE15F52A2F4B58E24A752A37F3D59092023-01-17 10:38:55.241 11241100x8000000000000000104374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E637E4B349C09AC5AB9B264B3D5BCC040131F712023-01-17 10:38:55.241 11241100x8000000000000000104373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.241{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\491EA7E19BB3A36649FF998F8C9954F49342A8B52023-01-17 10:38:55.241 11241100x8000000000000000104372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.223{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:38:53.005 23542300x8000000000000000104371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.223{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.223{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\prefs-1.js2023-01-17 10:38:53.005 11241100x8000000000000000104369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.223{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AAC5CD3560F3EF36DD96FD63E0B5AF18B1F5453A2023-01-17 10:38:55.223 11241100x8000000000000000104368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.223{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A004DD1A66193831172254A071B5991F6CB482C62023-01-17 10:38:55.214 11241100x8000000000000000104367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.214{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0304D734F8F502EB66EF453A17CB9F5B8C43B8B72023-01-17 10:38:55.214 11241100x8000000000000000104366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.214{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F0E149DF5DAF99F2E97F63398ED388D61977C5302023-01-17 10:38:55.214 11241100x8000000000000000104365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.214{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C2DBA39D1F0EFF429F004C7EF05413224F92FEA82023-01-17 10:38:55.214 11241100x8000000000000000104364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.214{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F0BCC58AE7C662AA8CE337B597266047814B8362023-01-17 10:38:55.214 11241100x8000000000000000104363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.214{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\87D1E6D2669DBD20C5597F69DADCD3B6066389C22023-01-17 10:38:55.214 11241100x8000000000000000104362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.196{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F89F6C04E036909D7FC0F3B22B11CAA186992B92023-01-17 10:38:55.196 11241100x8000000000000000104361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.187{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D6A12780C1B00A95DAA5184DD5E28D24EB1C81D2023-01-17 10:38:55.187 11241100x8000000000000000104360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CD391C3709E90F61D7015D22B6CEAC7C53BB9C612023-01-17 10:38:55.178 11241100x8000000000000000104359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7102B8E96AA0B61615CFDE56763A9ED9B983730A2023-01-17 10:38:55.178 11241100x8000000000000000104358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D916403BF73B2F44BF3984B29497AEE3380680702023-01-17 10:38:55.178 11241100x8000000000000000104357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D24635F6A59762E918DF89D6F4589F6FAC3FDA862023-01-17 10:38:55.178 11241100x8000000000000000104356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CC7809CAFBB8C1BEE3E1812765FB41D5ABC152572023-01-17 10:38:55.178 11241100x8000000000000000104355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E6F507DCB03A19F901B0794B38BC9DB8454FE79B2023-01-17 10:38:55.178 11241100x8000000000000000104354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F70B0A6296A37FC9A0471F764EC3D75240EDD0A82023-01-17 10:38:55.178 11241100x8000000000000000104353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6C2BC1BE899FE3232AD7DB3E11E6407B224D71932023-01-17 10:38:55.158 11241100x8000000000000000104352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\563BF5FB0D494EEB84D971252FD3795B7EB495172023-01-17 10:38:55.158 11241100x8000000000000000104351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\225DB6D136144102BEBF8D999082D58148570B222023-01-17 10:38:55.158 11241100x8000000000000000104350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1B5B802B1F1D46DE3EB57F66D684BA8E2C3228AA2023-01-17 10:38:55.158 11241100x8000000000000000104349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BBB7BE9B0813FC5104564E06AAF91FA9A955D1C82023-01-17 10:38:55.158 11241100x8000000000000000104348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B188F38156DA1917F8C1EE84D678DF33EEE49B852023-01-17 10:38:55.158 11241100x8000000000000000104347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DFA441EEA97EBA0776B70BD506017107843810772023-01-17 10:38:55.158 11241100x8000000000000000104346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7741F7D6C5A3E6680E2E4AB709F127B5C69BF74C2023-01-17 10:38:55.158 11241100x8000000000000000104345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D164EBEEF07D07EF62BB403EA63BB41075917DF82023-01-17 10:38:55.132 11241100x8000000000000000104344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\23EC873489C253CC38CC03B2695BC5EDD8CAD4812023-01-17 10:38:55.132 11241100x8000000000000000104343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\85506F5811D7104EAB8AD6163A2590D93BCA8AA62023-01-17 10:38:55.132 11241100x8000000000000000104342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E4195EF44145EDD38853746B3B84B5CB6F4AD6BC2023-01-17 10:38:55.132 11241100x8000000000000000104341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B60F64A467387DBCA8A2C834BF8DD0A2F3DB06232023-01-17 10:38:55.132 11241100x8000000000000000104340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C8AED7B2BA33413BF011DB2BE8B36010BD5793D52023-01-17 10:38:55.132 11241100x8000000000000000104339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9338D221555577260FE668825C60607D85B5B50C2023-01-17 10:38:55.132 11241100x8000000000000000104338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EBEAB025B0308B792390D53E5BB2EA000D45FFC42023-01-17 10:38:55.132 11241100x8000000000000000104337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D3897E1AEB68B637239F51D510D9F0E547A752F32023-01-17 10:38:55.105 11241100x8000000000000000104336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\390236572D27E57FB8230AD78178E8560D490C442023-01-17 10:38:55.105 11241100x8000000000000000104335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4BA6C7704E34257E6A157A59DB1DD0041E51EA3E2023-01-17 10:38:55.105 11241100x8000000000000000104334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E225FBE1582D91B9E1D01B495FDB90E803A5AE02023-01-17 10:38:55.105 11241100x8000000000000000104333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\69049B2B6C981F970B8F4E0B35D061D198727AD52023-01-17 10:38:55.105 11241100x8000000000000000104332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\62B4B79945A87D58D04594CA01C2114858EFAFE12023-01-17 10:38:55.105 11241100x8000000000000000104331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\177318BF68581524B09134A56A71BA2E6B735C8F2023-01-17 10:38:55.105 11241100x8000000000000000104330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C262FDC61476FA94912A4B3A0750F7019E47C562023-01-17 10:38:55.105 11241100x8000000000000000104329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.013{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\settings\data.safe.bin2023-01-17 10:38:55.013 11241100x8000000000000000104328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.013{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\settings2023-01-17 10:38:55.013 11241100x8000000000000000104327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.013{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\security_state\data.safe.bin2023-01-17 10:38:54.704 23542300x8000000000000000104326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:55.013{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\security_state\data.safe.binMD5=554B994142B00E82580C77F0A5F177C1,SHA256=94B4B128F8E30BDB92C86E80557F387F06D6EB733B3CD951EC288E5111A641E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:56.493{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E533D1C61C32BF2968A3756FE3738D5,SHA256=C16BB56C8D41930262FF8069200855A2D91E70496AAD92D74CB4502F3B128505,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.998{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E84082ED355F66511382F764F85038373C1C4AA2023-01-17 10:38:56.998 11241100x8000000000000000105032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.998{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\15D44F4C76B4DEEED58A8F2DF3FE87F57ADF83D52023-01-17 10:38:56.997 11241100x8000000000000000105031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1EACB014261E38DB1FEB8A80D5821574126C66ED2023-01-17 10:38:56.997 11241100x8000000000000000105030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.996{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4B0430B65D6BCFDF58C1A38C13050CFB3E080E872023-01-17 10:38:56.996 11241100x8000000000000000105029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.995{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\66E6CE74F90FC9DA4305821A6F34748F98C0D2B42023-01-17 10:38:56.995 11241100x8000000000000000105028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.994{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\652A356504EDBB271941176FD0C768EECF7F1E932023-01-17 10:38:56.994 11241100x8000000000000000105027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.994{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\619A3348C64FC3174CE594728C927DDF139BCC6E2023-01-17 10:38:56.994 11241100x8000000000000000105026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.993{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B4D658F05757EF3CF4F26D502B93398CFCE041E62023-01-17 10:38:56.993 11241100x8000000000000000105025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.974{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\86704A410C6A7581A52AE992AFFDBA2B071AE2462023-01-17 10:38:56.974 11241100x8000000000000000105024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.973{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4BFEEAC0563E07187E1130B5F5983BEA7FAE095F2023-01-17 10:38:56.973 11241100x8000000000000000105023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.973{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\86725EC155D5E32E061E856CF0A92ED81C02E7B52023-01-17 10:38:56.973 11241100x8000000000000000105022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\54F0915AD75EB407A8F38DAD036BF1E43B919BF32023-01-17 10:38:56.972 11241100x8000000000000000105021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3C8004597EFBE2FDDA839928100500EB15BDA5822023-01-17 10:38:56.972 11241100x8000000000000000105020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.971{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C59AA89A6D8D512BA32E39B847E2C31F53F3458E2023-01-17 10:38:56.970 11241100x8000000000000000105019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.970{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\61BFFB86FB33508DEEB58E91E486C9DD35C394412023-01-17 10:38:56.970 11241100x8000000000000000105018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.969{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3B5B3B92D7D25A5A65AA516A060369929FF1A49A2023-01-17 10:38:56.969 11241100x8000000000000000105017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.955{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6FA2360F60AF27E3AB4A9746353DB0C35E8527002023-01-17 10:38:56.955 11241100x8000000000000000105016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.954{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\53C4E87E5A9F965B6C1F95B4CAAB33FAC5F76FC22023-01-17 10:38:56.954 11241100x8000000000000000105015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.954{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\97095927319A1C4FA2DE8D1310B3FD36FC4EF9B82023-01-17 10:38:56.954 11241100x8000000000000000105014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C062A66E097A1563F42E00AD9F603A9DA2DCF1E82023-01-17 10:38:56.945 11241100x8000000000000000105013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E9D5FD487CA33A9D4C40560D228D891049D0D2382023-01-17 10:38:56.945 11241100x8000000000000000105012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EF416A13728F90EC623C03FD89C7E2E74AF539052023-01-17 10:38:56.945 11241100x8000000000000000105011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F762B3A984A0F663B195E42234831C5543804FF2023-01-17 10:38:56.945 11241100x8000000000000000105010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.936{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F608729537C1A12BE01BB5348B9BD2B71A9920672023-01-17 10:38:56.936 11241100x8000000000000000105009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7ABFBD4481451DF67687D2ECEFC0CC1DD9FDC24E2023-01-17 10:38:56.918 11241100x8000000000000000105008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\017BE3C98BFDA6DF51F0991F9D11ADAA2672ADEF2023-01-17 10:38:56.918 11241100x8000000000000000105007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5BDC88F032E9AC4FF6FB4BD37930D092CF53C7BF2023-01-17 10:38:56.918 11241100x8000000000000000105006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\44BBFFF8415F1DF66DE576A4F45FCA93A8F0D4992023-01-17 10:38:56.918 11241100x8000000000000000105005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1933B1F31BFD546DEE39225616A6DCECA8E72FD72023-01-17 10:38:56.918 11241100x8000000000000000105004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2AE89E8944C45BCF2ADF4999C0E827850F7AEFD62023-01-17 10:38:56.918 11241100x8000000000000000105003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F2099A2D3DB4619CA16135B168B2E71C4505056B2023-01-17 10:38:56.918 11241100x8000000000000000105002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1DFD1C0B173B484F27BF9F82B3AD5FD96B51871D2023-01-17 10:38:56.918 11241100x8000000000000000105001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5784A43C8A0D0C726F27437CC70C2B98F9934142023-01-17 10:38:56.900 11241100x8000000000000000105000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CE5456349DC5793604199DB089461C97DD2A9BBE2023-01-17 10:38:56.900 11241100x8000000000000000104999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AA31350576C1C12DF3600EDC041BA58B7AD44D132023-01-17 10:38:56.900 11241100x8000000000000000104998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\360DE75F4BA077647CB974AC21CD4FC20D1E47C12023-01-17 10:38:56.900 11241100x8000000000000000104997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\774185AAB7F6E2F3D250BDCFAC4E38F98214AB3D2023-01-17 10:38:56.900 11241100x8000000000000000104996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2AB252E8ADCB3B775CFC1E648609175EC0EC30E02023-01-17 10:38:56.900 11241100x8000000000000000104995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5E68957E3CC343E13B40D033F6C4C61BB1F15E42023-01-17 10:38:56.900 11241100x8000000000000000104994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.891{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\526B6BA245FAA018AC4CF56B327354EBE95E87C92023-01-17 10:38:56.891 11241100x8000000000000000104993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D2584DF2EE99CDAF3E207CF75A258EA1177580F62023-01-17 10:38:56.882 11241100x8000000000000000104992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.881{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\28227D2ED03AC57B0623DBF149196CDEA7BAD3522023-01-17 10:38:56.881 11241100x8000000000000000104991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.881{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C31698882A9BB90B13E358AB2DD8A07A78EC18E22023-01-17 10:38:56.881 11241100x8000000000000000104990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.872{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A07F56FBDBAFFCA11B45106491478965BD4352B02023-01-17 10:38:56.872 11241100x8000000000000000104989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.872{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D2585D546237A91ADC30D50F09BC0E50840AEF32023-01-17 10:38:56.872 11241100x8000000000000000104988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.872{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\056B9C8BE750AC83F8C06ECF4938B5E4A2038D6E2023-01-17 10:38:56.872 11241100x8000000000000000104987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.872{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EBE41A1CADA1104BF694272BADCDCCEE613A788F2023-01-17 10:38:56.872 11241100x8000000000000000104986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.872{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4816C29FAB0E0A8A4E6D7F91BFEC48CF9E70400C2023-01-17 10:38:56.872 11241100x8000000000000000104985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6DB17D51F604CA649FAB182DDCDFD7A6BF94ED192023-01-17 10:38:56.854 11241100x8000000000000000104984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A904914C80A777F38756ECA9EA0FBD659772138F2023-01-17 10:38:56.854 11241100x8000000000000000104983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0531A9508185A9F4C20E4E20C7136B81D82CD4862023-01-17 10:38:56.854 11241100x8000000000000000104982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8D649B8572F333387651A1A9AFEFEC6CB73BACB32023-01-17 10:38:56.854 11241100x8000000000000000104981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6ACA68985513AB20095F5EFB0B04E32A29CBA7CE2023-01-17 10:38:56.854 11241100x8000000000000000104980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5383B91B1EE2E8E2A9324B30A42503ED9ECB212E2023-01-17 10:38:56.854 11241100x8000000000000000104979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6474D83939AA112A981FB8471E1A3F82F30071E62023-01-17 10:38:56.854 11241100x8000000000000000104978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D096F737836AD33F9B12270BE03463CBF42BB1C02023-01-17 10:38:56.854 11241100x8000000000000000104977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E796AA2D9BBF23B7F97C1D94FB3DE5B4FF4EAF792023-01-17 10:38:56.836 11241100x8000000000000000104976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D05B8917869AB28445837BD6236A9BD77E6B9AB2023-01-17 10:38:56.836 11241100x8000000000000000104975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C539E42659940A177B6D8209FD3B766140B2A23C2023-01-17 10:38:56.836 11241100x8000000000000000104974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3305B4C6427CD64345D915DF32DC6B6956ECD36D2023-01-17 10:38:56.836 11241100x8000000000000000104973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.827{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4429DE2C4462DF324F12EFFE82696C2E144A0B2F2023-01-17 10:38:56.827 11241100x8000000000000000104972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.827{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AE883C6666377032636D8F63AD4B3FD586459F1C2023-01-17 10:38:56.827 11241100x8000000000000000104971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.827{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CEE4EB86F1857A8290A3DCCCC932AB74443A785A2023-01-17 10:38:56.827 11241100x8000000000000000104970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.827{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\78240D938CC96765AE792E7A7924D4A2C2C78F412023-01-17 10:38:56.827 11241100x8000000000000000104969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B4BE3134E472C3E17AE9870B6A48696B5A453B082023-01-17 10:38:56.809 11241100x8000000000000000104968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D2C257A0A807FFBC2721AF59C8976CD12193A9142023-01-17 10:38:56.809 11241100x8000000000000000104967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E14DD46E43BF9DBE8E6740577B58AEF359E08BBD2023-01-17 10:38:56.809 11241100x8000000000000000104966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2DD40C857DF281854F76B1734042AE61F783B5EC2023-01-17 10:38:56.809 11241100x8000000000000000104965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5F7205AE322273189AED98A04737208BB1C30FF02023-01-17 10:38:56.809 11241100x8000000000000000104964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\733A5C7A90DE54CCAA3CA7B12FB38F3073532AFE2023-01-17 10:38:56.809 11241100x8000000000000000104963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7CE1F1C88C09295BB2F62CAFD6B6E6F1949DC4812023-01-17 10:38:56.809 11241100x8000000000000000104962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ABB953E7027C84551E3D18AF89D29E8154F641AD2023-01-17 10:38:56.809 11241100x8000000000000000104961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3E5A9318926E45136FB622366ACA087BB66819BC2023-01-17 10:38:56.791 11241100x8000000000000000104960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F207F254C5628C4BAA9FBB084BC127584AE84D6F2023-01-17 10:38:56.791 11241100x8000000000000000104959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1D977FF81C3B38053B20F667F398D20A1C6E50CE2023-01-17 10:38:56.791 11241100x8000000000000000104958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\03DBF05938D01B2E9B52D2D7A995E87E4259463B2023-01-17 10:38:56.791 11241100x8000000000000000104957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EAFDA64DD46D4675A5325873D2CECBF0E64F8B5B2023-01-17 10:38:56.791 11241100x8000000000000000104956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.782{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F127BE19E2D4A66B50A262CAD45C542D3D350A792023-01-17 10:38:56.782 11241100x8000000000000000104955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.782{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\47F8B57495E07FE273EB948CADC6BBB1DBB826992023-01-17 10:38:56.782 11241100x8000000000000000104954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.782{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F5DCEBA17363C53F46E2560520424AC68B47F09D2023-01-17 10:38:56.782 11241100x8000000000000000104953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.765{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3C8E7D2ADF8E05AF74BD3E68EFD4DD55C5EF84422023-01-17 10:38:56.765 11241100x8000000000000000104952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.765{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A7F2A252BBE46E6ED898901DD64B23F63F64DCA52023-01-17 10:38:56.765 11241100x8000000000000000104951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.764{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\88C8FC1D372C2B19347DE6D62EA29D2885A8B63D2023-01-17 10:38:56.764 11241100x8000000000000000104950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.764{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E7EC4F1BFF9B96F00D48703CC5E3753E1BE97A002023-01-17 10:38:56.764 11241100x8000000000000000104949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.763{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C48E69076C34AEF209E68D031C48E43FCDDCDAA22023-01-17 10:38:56.763 11241100x8000000000000000104948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.754{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C18CDB622049F0FAE1B981DB24A1E134FEE633352023-01-17 10:38:56.754 11241100x8000000000000000104947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.754{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\556754EB9D0DC08F2A4662D4795365626C7D1FE72023-01-17 10:38:56.754 11241100x8000000000000000104946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.754{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8212F563171707500CBC840DD67AC22CBF2179372023-01-17 10:38:56.754 11241100x8000000000000000104945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8D6AD82CA4CF5DD66683788B4FC86EA48BC8AB262023-01-17 10:38:56.736 11241100x8000000000000000104944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FBCD72D1038857AFC71A366A41443BDB298C7D922023-01-17 10:38:56.736 11241100x8000000000000000104943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4AF4275C0F1F410C22AFF62D6F56BBD53282C8732023-01-17 10:38:56.736 11241100x8000000000000000104942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E92AD85DD99148E9D349A91D7067CF019FAE4E662023-01-17 10:38:56.736 11241100x8000000000000000104941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\502E37172C9258AEDB4074F96DDCABE2BC3A06172023-01-17 10:38:56.736 11241100x8000000000000000104940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377701B1F0A55A40A9892E40AC37CC1C,SHA256=83B747ED342004A4B5F1C7A0BDFDE1F16E0D15E058817F78C15EC08193EDB5AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C05FBBD1E323A35C6CFBB24434AD684B6ABBC45D2023-01-17 10:38:56.736 11241100x8000000000000000104937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E48255EC1764FC5E0147FBA9CB31DE1040F813B22023-01-17 10:38:56.736 11241100x8000000000000000104936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.736{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D0EAB4186C84242CBE67B093B23DFD303578C15A2023-01-17 10:38:56.736 11241100x8000000000000000104935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D5E6112BA946EE629D187D594C8950DA127217D22023-01-17 10:38:56.718 11241100x8000000000000000104934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F199EBAEB05C2FDC2E098B24A128EAC9EF70A2262023-01-17 10:38:56.718 11241100x8000000000000000104933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B675C5F5FFACF874E705146520BEB2653D066F162023-01-17 10:38:56.718 11241100x8000000000000000104932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8FDCA8757F2F06F1BD1C65CA0898EC5F9BD1AC082023-01-17 10:38:56.718 11241100x8000000000000000104931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\14DBB7588192487FAD73099F76C17AD21475FCE62023-01-17 10:38:56.718 11241100x8000000000000000104930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.709{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B9082DD7EBBC012FDF2544AA17BD1EF231FECD482023-01-17 10:38:56.709 11241100x8000000000000000104929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.709{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DDEAA39829A026C418689AC9D3E373095AAEBCDA2023-01-17 10:38:56.709 11241100x8000000000000000104928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.709{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0629FC21DB0A3CE5CCDBE54E886C56CAE9B21F0B2023-01-17 10:38:56.709 11241100x8000000000000000104927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C174F56F4217D9FB03D0288B19349EEAEE233B372023-01-17 10:38:56.691 11241100x8000000000000000104926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\371C9EEE8B0EDFE3DB0A86AFEBCFF0682FB094F72023-01-17 10:38:56.691 11241100x8000000000000000104925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\486E9B7FAD1D640C0A5C3789A9C95420FD45924F2023-01-17 10:38:56.691 11241100x8000000000000000104924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B3EB9F84213CBE67692A95B110BA2F3F379DADED2023-01-17 10:38:56.691 11241100x8000000000000000104923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9198371C1817F606B2190F41FA92713269DEF4C82023-01-17 10:38:56.691 11241100x8000000000000000104922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\79D03EB26482D3308245D29EF4E47C2B5732C6BB2023-01-17 10:38:56.691 11241100x8000000000000000104921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B8CDE9913289BFC47FE94680E660B4F30C7E5B52023-01-17 10:38:56.691 11241100x8000000000000000104920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1C5D5512D6DEEC3178388C0BD5D1DA97592B397F2023-01-17 10:38:56.691 11241100x8000000000000000104919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B20F54E8B98D9BC0110E81C3779D6848CE36CCA82023-01-17 10:38:56.672 11241100x8000000000000000104918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\00E796C2BFC63FBBC014992122775DC851A3D71D2023-01-17 10:38:56.672 11241100x8000000000000000104917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\52007DF3A395D82C424D851F0A85C2FAAFAEA5CD2023-01-17 10:38:56.672 11241100x8000000000000000104916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FA3FE484EF64ACADDA57B66CFBF22E74F75FC4FD2023-01-17 10:38:56.672 11241100x8000000000000000104915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1041CC8CEEAACD78DC80185CCB6829746F505F432023-01-17 10:38:56.672 11241100x8000000000000000104914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\23396A4C76EE2A7B0D2FC38608285CA21BED9D9A2023-01-17 10:38:56.672 11241100x8000000000000000104913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BD88C97F4F28C5C6B2F3AE915A564772CBB3BB802023-01-17 10:38:56.672 11241100x8000000000000000104912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\98B7CE2CB7555D0021B3B8AF3AE18BB1807BD1E62023-01-17 10:38:56.672 11241100x8000000000000000104911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3C7DBA6FA08A5D8AA1F7D1B073E8F32BA550C9522023-01-17 10:38:56.654 11241100x8000000000000000104910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E313B8414EE66BFD84AB8CEAB87A7358DAA62292023-01-17 10:38:56.654 11241100x8000000000000000104909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.645{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6C4202340A0E7F2736806B1335146F83023F20AF2023-01-17 10:38:56.645 11241100x8000000000000000104908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.645{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\57419DD3200B2512D029506439BE37A2D217CC512023-01-17 10:38:56.645 11241100x8000000000000000104907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.645{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FEC326C0A39A69F33838BBCC2C06D264E76BB6F32023-01-17 10:38:56.645 11241100x8000000000000000104906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.645{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\28B27E85642741EF6F5F88A5766545202B6208172023-01-17 10:38:56.645 11241100x8000000000000000104905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.645{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BFB08C4D8116C14814277D0FA7D9A164C358A1E12023-01-17 10:38:56.645 11241100x8000000000000000104904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.645{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\66A57D27349D1341B1CF73EF2280A3F69E9B7C742023-01-17 10:38:56.645 11241100x8000000000000000104903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B55F0A33EA1290560B12FCB460E0810E05D7B0452023-01-17 10:38:56.627 11241100x8000000000000000104902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A17DBEB488E06E7F8CCE23A4A912B6451117FD722023-01-17 10:38:56.627 11241100x8000000000000000104901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\91FC5FB32E1F027B4A742506AB6220314999C85A2023-01-17 10:38:56.627 11241100x8000000000000000104900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CAD012C02C3CCC617B8E8C9E9E2C8A2C33E4F7B72023-01-17 10:38:56.627 11241100x8000000000000000104899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C21B3135076BFF515A4C751F4E96881BF3ADF38E2023-01-17 10:38:56.627 11241100x8000000000000000104898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6DD8B32AFFA59ADE348840422B5A0047A1FC01792023-01-17 10:38:56.627 11241100x8000000000000000104897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9C058E34C6AA997E6ABDA72F77C22F50B721B362023-01-17 10:38:56.627 11241100x8000000000000000104896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3C4D42033EFB281F1D802AC88C818290880A86692023-01-17 10:38:56.618 11241100x8000000000000000104895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\420D1D2D5F4D2E84EFBE4812771F76655A14CF882023-01-17 10:38:56.609 11241100x8000000000000000104894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FA3459BEA5FACCD3816DC9512F20E0AC70023FAA2023-01-17 10:38:56.609 10341000x800000000000000070960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:56.022{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:56.022{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:56.022{F6EEFE7F-6CEE-63C6-0B00-00000000B102}6204072C:\Windows\system32\lsass.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:56.006{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-74DD-63C6-9C01-00000000B102}5524C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000104893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0647CF8505EB2A2F9423EC7EF8B0F626BC3560642023-01-17 10:38:56.609 11241100x8000000000000000104892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6AC730A2AB2D3283AEC16F081EF23A3AEE671FC92023-01-17 10:38:56.609 11241100x8000000000000000104891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0FF5CFB196363713A48F2D56ED5669C0BA31EE572023-01-17 10:38:56.609 354300x8000000000000000104890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.321{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64615-false10.0.1.12-8000- 354300x8000000000000000104889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.301{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50832- 11241100x8000000000000000104888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.600{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4EF1CAE7CE6BE0755F23AF250904CB9B91D023CD2023-01-17 10:38:56.600 11241100x8000000000000000104887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.600{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\26B7A89B14D1DA063E3364AFBFEFF84DBDD1CCE32023-01-17 10:38:56.600 11241100x8000000000000000104886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.600{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C98686D46638FF15B0EC1918C84668257BD1BD4D2023-01-17 10:38:56.600 11241100x8000000000000000104885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1F7ED2229B872A7B346DB8E53D956EFA68FF89292023-01-17 10:38:56.582 11241100x8000000000000000104884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\41B2CFDC44CC579AE971C59D3DEFD6BE4BBC2E112023-01-17 10:38:56.582 11241100x8000000000000000104883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8468A699CAA269E058E63055775B427E2ED5AED52023-01-17 10:38:56.582 11241100x8000000000000000104882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1135633C0FBF7A92622BAD06189D6D8BEB113A772023-01-17 10:38:56.582 11241100x8000000000000000104881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A35BE8687E11E86556CBA824B4A34694670DC7772023-01-17 10:38:56.582 11241100x8000000000000000104880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\01B788380BD3A5C1BB721EEE3FAF826B08AD25602023-01-17 10:38:56.582 11241100x8000000000000000104879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A88858692EFDBE0061E7C2841957E256A6CE79A42023-01-17 10:38:56.581 11241100x8000000000000000104878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.581{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7ECFA87BD876FC9BC2D3A8ABF1A57280926BD8102023-01-17 10:38:56.581 11241100x8000000000000000104877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B409777295EF815F7C5A4FE8E6F4FC45055F01B82023-01-17 10:38:56.555 11241100x8000000000000000104876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D0FCA64652245B4E1C717E47F34950FDA852007E2023-01-17 10:38:56.555 11241100x8000000000000000104875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\335576D59363FC6F4D65E39D7814ECC2E0B1BD952023-01-17 10:38:56.555 11241100x8000000000000000104874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\43389FDB091E5212EED9A4A2DDCEFFE1D1E8DF0B2023-01-17 10:38:56.555 11241100x8000000000000000104873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\84E33258BEF2004D5612AE3A94191495AD173B752023-01-17 10:38:56.555 11241100x8000000000000000104872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\15F682BD925AB9938936F30E9B07546CBCD55D9E2023-01-17 10:38:56.555 11241100x8000000000000000104871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\779474CB43FBF0C3A1C29270DF2F69473A687CBE2023-01-17 10:38:56.555 11241100x8000000000000000104870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.555{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EEF5C0A43982CA1D79B6F7390E493970973C7A522023-01-17 10:38:56.555 11241100x8000000000000000104869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.537{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3B5BFC9A3BFF8CEC59712179C839788783D933752023-01-17 10:38:56.537 11241100x8000000000000000104868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.537{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\03BFBD029EF5462FE31E5F833D234B3BF8AB56C62023-01-17 10:38:56.537 11241100x8000000000000000104867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.537{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1413CFE7B1456ADBB026C22FEA271C2BE57646A62023-01-17 10:38:56.537 11241100x8000000000000000104866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.537{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\802805E30E38E4C5992F90E40A9ECA73C1B29D0B2023-01-17 10:38:56.537 11241100x8000000000000000104865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.537{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\609364795E69BE33FCB10E047B3DF5091DA11E1C2023-01-17 10:38:56.537 11241100x8000000000000000104864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.528{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\95405D661437BE1011F0CD4549694459846C776E2023-01-17 10:38:56.528 11241100x8000000000000000104863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.528{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ACEA69AF6915C59B19A632078BB5057A3208461A2023-01-17 10:38:56.528 11241100x8000000000000000104862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.528{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A49D1FF5AD74A84F1B4331958A597B3EF333B78E2023-01-17 10:38:56.528 11241100x8000000000000000104861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.528{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\broadcast-listeners.json.tmp2023-01-17 10:38:54.006 11241100x8000000000000000104860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.519{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\25F13559D5A7D685CF4A745C8FCDCF3D1503ACE22023-01-17 10:38:56.519 11241100x8000000000000000104859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\013DE866275E0B8041BCF19A79393FE4E457492C2023-01-17 10:38:56.510 11241100x8000000000000000104858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DA8704CB8D2DF3B846A3F4208067DB7F27C2127F2023-01-17 10:38:56.510 11241100x8000000000000000104857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\23B7EBFAE9AB3B47E762991F7A5422B558BF73B42023-01-17 10:38:56.510 11241100x8000000000000000104856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\951888E1FED51EB13D2CD4E4626ED8536007BDA42023-01-17 10:38:56.510 11241100x8000000000000000104855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6B17A8AD182440EA2D78157A8C2A1C6BA1CC72272023-01-17 10:38:56.510 11241100x8000000000000000104854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2F96CF62FFD5A4045BB4864C3FE81A3D19EB30F42023-01-17 10:38:56.510 11241100x8000000000000000104853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.510{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\797ACF1D4DD7A19D91074211B19B0047B1E41CC52023-01-17 10:38:56.510 11241100x8000000000000000104852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A76368F510FC68624CCBFA28900DD7A4100D210A2023-01-17 10:38:56.492 11241100x8000000000000000104851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B6678700B05DEE01340DF0FBD352DB9DDCB39A792023-01-17 10:38:56.492 11241100x8000000000000000104850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F685C96D5849C768002686833B2766B2E03865B12023-01-17 10:38:56.492 11241100x8000000000000000104849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BB597DF5D15200BCEAF998F9BF7FA9EDD55A85672023-01-17 10:38:56.492 11241100x8000000000000000104848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A6877B5E4B65591E79F947DE32FF50DD2546EDFB2023-01-17 10:38:56.492 11241100x8000000000000000104847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A6F289D3BC550F69A11B9D79CC597B7C91B9CB6E2023-01-17 10:38:56.492 11241100x8000000000000000104846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\37EE52796C6A940A93DE411B0DF4E03877743A7E2023-01-17 10:38:56.492 11241100x8000000000000000104845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.492{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D3B47B9EFBD4154C9E5CC8BF29A117765361E2A82023-01-17 10:38:56.492 11241100x8000000000000000104844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.473{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1540DA328381596A6EDD106AF1B0C51E6C7EB2E42023-01-17 10:38:56.473 11241100x8000000000000000104843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.473{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F89751437F35F371286C0942BD90FEED94B47A82023-01-17 10:38:56.473 11241100x8000000000000000104842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.473{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\80F31D053B4A20421AC33894C4FBAC155C81D9812023-01-17 10:38:56.473 11241100x8000000000000000104841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.473{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9C8E1B7B395DCDE6F3F1FFCC45C03C2381C2D9192023-01-17 10:38:56.473 11241100x8000000000000000104840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.473{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F2749D437E7C27555C3F26D46313D03FE3A8C8682023-01-17 10:38:56.473 11241100x8000000000000000104839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.473{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3F97779D9CFA1158491BBC6F1D0B54A7D0CEAF882023-01-17 10:38:56.471 11241100x8000000000000000104838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D087AFD9C813EA73ED078709A5A83C6FEF822A512023-01-17 10:38:56.471 11241100x8000000000000000104837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E197B1CE175041EBA1019B3301BA7A842A739B6F2023-01-17 10:38:56.471 11241100x8000000000000000104836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.451{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D0FDDFD2F17976EEFB9CCCFED66D7621734BBAA2023-01-17 10:38:56.451 11241100x8000000000000000104835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.450{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2AEF1E8D8D12D757CA0B5F5AF434A8AF568538A42023-01-17 10:38:56.450 11241100x8000000000000000104834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.450{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5D099E91C04D68874CF3352C921D46A7369D4F5C2023-01-17 10:38:56.449 11241100x8000000000000000104833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.449{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\43C1E34FE9A2FBDDAEFBADD3A411198FA22DE5D32023-01-17 10:38:56.449 11241100x8000000000000000104832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.448{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C462F5AE94FAFD21424F2939A7A3B4F01BD4DF4E2023-01-17 10:38:56.448 11241100x8000000000000000104831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.448{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\08F5DF08C4755F1FE2FD9E0CC9B492924632A7112023-01-17 10:38:56.448 11241100x8000000000000000104830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.447{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ADC162F76B805C1B0283AB0AD825C531F63BF28B2023-01-17 10:38:56.447 11241100x8000000000000000104829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.446{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DCD9517AFE933C32E93A413C1892297334B069CF2023-01-17 10:38:56.446 11241100x8000000000000000104828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.438{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.438{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA825651586ABEB443A163A2308D29A0,SHA256=0E320E3193F5F62AC76A3F302DC402470D5F3705C96032A664F5DA52CBFF19B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.424{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\679DA6400EFCE0D376CFBC8827398E5DABEFBA892023-01-17 10:38:56.424 11241100x8000000000000000104825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.424{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9B0C4C0430F22723F0A4F5873466B66C8C2B5C12023-01-17 10:38:56.423 11241100x8000000000000000104824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\57C1B7F8D9A1A5ACA2F5E50B5735F19E964D718F2023-01-17 10:38:56.423 11241100x8000000000000000104823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.423{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4ADDE418531E36074B8029A167703C2923C21A112023-01-17 10:38:56.422 11241100x8000000000000000104822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.422{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\84B97FFEA2BFA6366ACFCF4052E8E7FDF41DBD652023-01-17 10:38:56.422 11241100x8000000000000000104821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.421{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AF9C999458C00AE2BFD592A846E57C91B403947C2023-01-17 10:38:56.421 11241100x8000000000000000104820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.421{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\42A18293F91EE80B68CE94D2261C3037694CF9B42023-01-17 10:38:56.420 11241100x8000000000000000104819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.420{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B75515825D58C7D1E265A94BB0D15BE31B7D85CF2023-01-17 10:38:56.419 11241100x8000000000000000104818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.403{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\86FF4EACDFDB9F9471EC8D0510B962F1F7B8B10E2023-01-17 10:38:56.403 11241100x8000000000000000104817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.403{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\590ADE44C466183E22FB73D235269F4EBA423DA42023-01-17 10:38:56.403 11241100x8000000000000000104816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.402{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\396F36B3CB87EDEAC3CD5A248F941B2CEEC626F62023-01-17 10:38:56.402 11241100x8000000000000000104815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.402{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DB958EC01FF722EBAEBF16E3EF3D554B2E152FFB2023-01-17 10:38:56.401 11241100x8000000000000000104814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.401{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D619104A39D7663B493180137BDB322C2495926D2023-01-17 10:38:56.401 11241100x8000000000000000104813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F6CCED277AE7064C456EFA4CAAA1489F1422B44B2023-01-17 10:38:56.400 11241100x8000000000000000104812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.399{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\586856AB9277E251A2D833F52F3B582CE92F42CA2023-01-17 10:38:56.399 11241100x8000000000000000104811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.398{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\640753B84142973EB45AC0B105C0176DB23A10D12023-01-17 10:38:56.398 11241100x8000000000000000104810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.381{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\100FFF054C84EE1936E094E798645A7774BB1FAA2023-01-17 10:38:56.381 11241100x8000000000000000104809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.380{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\88C7C09313D96000582E5AA569E0E8720CB6CB3D2023-01-17 10:38:56.380 11241100x8000000000000000104808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.380{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BAE54DE83F2684D9AFA29AF9BC8DF8692B751FFA2023-01-17 10:38:56.380 11241100x8000000000000000104807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.379{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A9625784736FFFD56F1B10508DDB230EC2D0619F2023-01-17 10:38:56.379 11241100x8000000000000000104806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FD4206397DCBE870AF0910E94139A52581C7750C2023-01-17 10:38:56.378 11241100x8000000000000000104805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.378{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FC829C30AB49A6A4546B47EA0F1B5CA70E56E76C2023-01-17 10:38:56.378 11241100x8000000000000000104804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.377{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8B26F2F9CD3C0292ADED5D4AC6A8B505568356402023-01-17 10:38:56.377 11241100x8000000000000000104803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.376{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4EDD55A5A23872FA45345CB188CDA4FB547DC6352023-01-17 10:38:56.376 11241100x8000000000000000104802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.368{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000104801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.368{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCC49B9AAE583F7FBF21669633BB066,SHA256=95380D57CB47EEE119F0B743CDCBA0936658B04B3AA95714ECE1747DFA0A9D86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.357{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B0D95C0E3DC9CA18D5FBE1BB1DD0745B051CB8BC2023-01-17 10:38:56.357 11241100x8000000000000000104799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.357{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\97D67032400D7357259DC46B2AC1E9618849DD962023-01-17 10:38:56.357 11241100x8000000000000000104798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.356{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5B6FBC44C54C83142ECF1561BB5E05495FB9EE3C2023-01-17 10:38:56.356 11241100x8000000000000000104797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.356{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EC3DE1CCE65B3C03F628D2793BD74B9B39366B732023-01-17 10:38:56.356 11241100x8000000000000000104796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\75C4B9AB946C3B707403041B2D92681F8C660E912023-01-17 10:38:56.355 11241100x8000000000000000104795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\89528857FF83218A346DA16E625120AF94BA1C9F2023-01-17 10:38:56.354 11241100x8000000000000000104794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.354{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\98862E61535DC25AE9B0A99760A8A7844F22C45F2023-01-17 10:38:56.354 11241100x8000000000000000104793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.353{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\63303E482E1EFF889B2B33E2918E30AD2228DC3E2023-01-17 10:38:56.353 354300x8000000000000000104792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.300{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52952- 354300x8000000000000000104791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.277{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55860- 354300x8000000000000000104790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.277{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51313- 354300x8000000000000000104789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.276{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49299- 354300x8000000000000000104788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.276{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52481- 354300x8000000000000000104787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.253{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local49391- 354300x8000000000000000104786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.252{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50403- 11241100x8000000000000000104785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.337{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5CCB7707E07F9E92EE0628EDE0488CCC582AFD242023-01-17 10:38:56.336 11241100x8000000000000000104784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.336{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4D12161B55B8DC1D42F9CF6CCE1BB95152DD4E3C2023-01-17 10:38:56.336 11241100x8000000000000000104783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.336{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3202951E636494B124C5417F26458E04A227A6A32023-01-17 10:38:56.335 11241100x8000000000000000104782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.335{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9C5F94E4EBA5ADA2C397E954189373123DA534EF2023-01-17 10:38:56.335 11241100x8000000000000000104781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.334{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9095B38268C300B55A8599A82817AD4FC9DDD2B92023-01-17 10:38:56.334 11241100x8000000000000000104780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.334{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8362C365888E5EE42BF9AC6845C3DDD9950DC1D32023-01-17 10:38:56.334 11241100x8000000000000000104779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.333{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A70FE2E142CC586169D388B8885936923DC570042023-01-17 10:38:56.333 11241100x8000000000000000104778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.332{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\37F56803495ADB0ECAF8886E2A612B1FBAC4AA452023-01-17 10:38:56.332 11241100x8000000000000000104777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.316{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7C2FB5CAD8F9DCF2DC992B0D3C9B26B05C96BE2C2023-01-17 10:38:56.315 11241100x8000000000000000104776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\498FF5B1438434C6AE9F4FC9FA01DBEBBAE119ED2023-01-17 10:38:56.314 11241100x8000000000000000104775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.313{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FA06489620F0ACBCD5297B7E65ACE985CE1F787D2023-01-17 10:38:56.313 11241100x8000000000000000104774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.313{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\93BB9B714EBBEA1BEBED8F2AC2F2ABD7C74246D92023-01-17 10:38:56.313 11241100x8000000000000000104773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.312{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\46C4791C1B559FD35FBAF537109CE236A516E16C2023-01-17 10:38:56.312 11241100x8000000000000000104772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.312{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ED3ABAD319154C9A5A239E591891C070D88521D72023-01-17 10:38:56.312 11241100x8000000000000000104771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.311{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C9123FFE8C28633B97331B9428AB5C4C767D1D22023-01-17 10:38:56.311 11241100x8000000000000000104770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.310{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5CFEC792B60297A131B2B49B9E74573497FDCD22023-01-17 10:38:56.310 11241100x8000000000000000104769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.293{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9A11AA6BEFE55F382A59966F6548009797DEA2B32023-01-17 10:38:56.293 11241100x8000000000000000104768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.293{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\77D8442DEC160B46DD1E5C0632BC483EF21721D32023-01-17 10:38:56.293 11241100x8000000000000000104767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.292{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BD11A4C41C667642E00260BAC92B005778C9778D2023-01-17 10:38:56.292 11241100x8000000000000000104766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.291{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\95010A5A2D474E916FAF6BDB8C3B65341904EB4B2023-01-17 10:38:56.291 11241100x8000000000000000104765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.291{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\147526ABFEDFA6E6C31D08F37E343D7763B6F8182023-01-17 10:38:56.291 11241100x8000000000000000104764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.290{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B28D426579E5021AFE66510887C57830BE55B5E32023-01-17 10:38:56.290 11241100x8000000000000000104763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.290{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C43701C8BE03D2EC44503FC3C35E23EE37C9AD5E2023-01-17 10:38:56.289 11241100x8000000000000000104762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.288{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6627F7E15271B5D1BFAE59A831E9D31F5384529A2023-01-17 10:38:56.288 11241100x8000000000000000104761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9CF23278CFE2A106A0C70AC5EDDBBCB3919BD6E82023-01-17 10:38:56.273 11241100x8000000000000000104760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E0DD1116DA1C4E6F528618A5D39ED0BBF44D429E2023-01-17 10:38:56.273 11241100x8000000000000000104759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.272{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\646DC442B75A29FF90AC20F2A4845FEA5A3C481D2023-01-17 10:38:56.272 11241100x8000000000000000104758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.272{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7B6ED592B62EC03D600E2172921419CBD48F81812023-01-17 10:38:56.270 11241100x8000000000000000104757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ECB17D2930F1C4A489A8A497A9422CAF742B7C2E2023-01-17 10:38:56.269 11241100x8000000000000000104756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CC93F9CFC2E58464CAE2A349369CDBDB308DB9D72023-01-17 10:38:56.268 11241100x8000000000000000104755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FDCAE46D99A35686D0B53395D48EE1072609ED572023-01-17 10:38:56.267 11241100x8000000000000000104754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.266{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8CF2E2AB7A213C5366947E9841D3991DD797CB5A2023-01-17 10:38:56.266 11241100x8000000000000000104753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.247{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A96559A8F351A301CDAE1C6509797BB758AA3A292023-01-17 10:38:56.246 11241100x8000000000000000104752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.246{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0C995AB5ECA5AF3C6825D02F2529F435661FA5842023-01-17 10:38:56.246 11241100x8000000000000000104751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.245{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2DB231528ED6884A9AC379E5C8B591A91D59F7762023-01-17 10:38:56.245 11241100x8000000000000000104750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.245{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8648FEF2FB5AA3558576F6BD3379A04ABB131DB92023-01-17 10:38:56.245 11241100x8000000000000000104749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.244{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\531BAEC5773881C89D601CF0B5005518519DAF402023-01-17 10:38:56.244 11241100x8000000000000000104748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.243{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E7A1C8679977E1338AB2D19C8E8F39713896516F2023-01-17 10:38:56.243 11241100x8000000000000000104747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.243{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\476F37917A7D66C9849CDD79DF86BB47BE6B83A92023-01-17 10:38:56.243 11241100x8000000000000000104746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.242{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A5472CDF2A8F0E46037BC1633CCB6B36EEED3A642023-01-17 10:38:56.242 11241100x8000000000000000104745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.226{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DC349D65E126A47967BEAC205B5FA916F8D4B57F2023-01-17 10:38:56.226 11241100x8000000000000000104744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.225{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\629765C1D39DA74A7B11776A8C1AAD165FF241EF2023-01-17 10:38:56.225 11241100x8000000000000000104743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.225{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8626FA988F6BC80292319D527ADB3DF9B297FA812023-01-17 10:38:56.224 11241100x8000000000000000104742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.224{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E8C0CCDBAC11455B09E9B9213B82BF08688FD2D02023-01-17 10:38:56.224 11241100x8000000000000000104741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.223{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\350EC08A4DE33D5A53D86FEC5C2C060817CC9BEB2023-01-17 10:38:56.223 11241100x8000000000000000104740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.223{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\15341CA9B553E1A71F396F6996DFBFFB0961CB222023-01-17 10:38:56.223 11241100x8000000000000000104739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.222{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\35BCB72CC20D4DBD2C6B30ED9823FA9466EFFA662023-01-17 10:38:56.222 11241100x8000000000000000104738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.221{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\30F33543A9871379EC298CEB5F49A3D922E706E32023-01-17 10:38:56.221 11241100x8000000000000000104737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.201{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\55469839B3F5A4868944FD02E3B7DF3976AFFB702023-01-17 10:38:56.201 11241100x8000000000000000104736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.201{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EC8B318046853140FB768A94CB425766E14C979D2023-01-17 10:38:56.201 11241100x8000000000000000104735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.199{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\58541AEC7788F609D6122158B651EF8AAF8886D62023-01-17 10:38:56.199 11241100x8000000000000000104734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.195{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2603EC1CFDE353D3CAAC8FB9FECE5BDB6949FF402023-01-17 10:38:56.195 11241100x8000000000000000104733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.194{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\00D94F710299158F47207BD8807E77DC68216A202023-01-17 10:38:56.194 11241100x8000000000000000104732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.193{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7166C647870CACEF3CF41546215940F59B032BDF2023-01-17 10:38:56.193 11241100x8000000000000000104731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.193{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\62A40316509CAF83D1DB51BE295BD32E42AA66A12023-01-17 10:38:56.192 11241100x8000000000000000104730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.192{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9FD7F9A73550BD902DCB8025A11BC04B5FC01052023-01-17 10:38:56.192 11241100x8000000000000000104729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.174{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\52FE414CCA6B045953221960B34F1F6E566B3A452023-01-17 10:38:56.174 11241100x8000000000000000104728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.173{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A8CE8CD2B14D2F69BD48FA7C76EA346142F3419C2023-01-17 10:38:56.173 11241100x8000000000000000104727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.173{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9AF7BB54AE4FC605C58DBAF4421F74C07F61A4C22023-01-17 10:38:56.172 11241100x8000000000000000104726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.172{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BD731A80838E75B7F7C7400516EC63D4B58EAB012023-01-17 10:38:56.172 11241100x8000000000000000104725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.171{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D16E22F93DAEA8224B1C64DC9FF5F701E249EF52023-01-17 10:38:56.171 11241100x8000000000000000104724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.171{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\026E65E4ED1B9A8D88C948A5E4B6AE6963B9DC6A2023-01-17 10:38:56.170 11241100x8000000000000000104723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.169{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D3DEF95C8F79214BBBB866B9E7C070204C47BC342023-01-17 10:38:56.169 11241100x8000000000000000104722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.169{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\347BC5432D5D46BE6B9784367F8A6D62B50F4FF82023-01-17 10:38:56.168 11241100x8000000000000000104721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.149{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4CA0728E41318C7FFF2CDD28AD651CAAC391C8382023-01-17 10:38:56.149 11241100x8000000000000000104720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.149{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FA09DB4DCAFEB4C8A7498A6D42001ECB452473F42023-01-17 10:38:56.149 11241100x8000000000000000104719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.148{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A808DEA06A26E36D1BFDD6C2C80D20B272DEA2482023-01-17 10:38:56.148 11241100x8000000000000000104718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.147{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1F48BEE4C9033A33D2BA0638091CE8270E6DAC952023-01-17 10:38:56.147 11241100x8000000000000000104717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.147{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6A7B86A219973E48D3FF0B2D66E6C514AB8A5E572023-01-17 10:38:56.147 11241100x8000000000000000104716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.146{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AEF14CBB50EF148BF38CE4FB77E7563B832585A42023-01-17 10:38:56.146 11241100x8000000000000000104715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.146{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7DB15019A57B0C0A174BC48931E2AF3F912453A02023-01-17 10:38:56.145 11241100x8000000000000000104714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.144{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\68CB53CE5105328DA6964152A15270657FC9AB352023-01-17 10:38:56.144 11241100x8000000000000000104713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.128{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A8D31DF4650208DF25CC32D072845B483F467BBB2023-01-17 10:38:56.128 11241100x8000000000000000104712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.127{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F1ED7CDD1D465A3D73418957EDFE6418998F9A522023-01-17 10:38:56.127 11241100x8000000000000000104711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.127{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D319635CD10DECB0D5A84BF79F7E670DEA41DE12023-01-17 10:38:56.126 11241100x8000000000000000104710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.126{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4A889395B2C0D7A533F4584B580B5D05DEFE1F802023-01-17 10:38:56.126 11241100x8000000000000000104709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FE8F80CD3A6FF4C57108B1D6D2D5BD2967A75C342023-01-17 10:38:56.125 11241100x8000000000000000104708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.125{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7FA8B25BD672748A496C370286D9EA389524606B2023-01-17 10:38:56.124 11241100x8000000000000000104707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.124{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3E43444E827F1B559C15D57584FA0FF8033ED9AC2023-01-17 10:38:56.123 11241100x8000000000000000104706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.123{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FEDDED4D0C481A6B70E9BAB25F192A4932A33F0C2023-01-17 10:38:56.123 11241100x8000000000000000104705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.106{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\07D9CFCEC82367373F12C4656FD4B315391530F92023-01-17 10:38:56.106 11241100x8000000000000000104704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\03FBE8326A420872E14C5034F036ACBC173006B62023-01-17 10:38:56.105 11241100x8000000000000000104703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.105{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8219CF99073EE581ACFFEAF0C4E7498904117C182023-01-17 10:38:56.105 11241100x8000000000000000104702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.104{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\22E02C4BB991ED2BB4AAD4A6A7CAE5102F78B9CD2023-01-17 10:38:56.104 11241100x8000000000000000104701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.104{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\26A72DE24E36932A476E9F43C90C4B8F5A96D1AF2023-01-17 10:38:56.103 11241100x8000000000000000104700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.103{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9388FACAF65D5F9542C3B2A098CD3570EC09DA632023-01-17 10:38:56.103 354300x8000000000000000104699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.228{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local52279- 354300x8000000000000000104698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.228{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53656- 354300x8000000000000000104697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.227{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local50663- 354300x8000000000000000104696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.227{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51838- 354300x8000000000000000104695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.222{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local56020- 354300x8000000000000000104694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.221{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local55918- 354300x8000000000000000104693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.221{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local51902- 354300x8000000000000000104692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:54.112{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local63194- 11241100x8000000000000000104691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.102{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4D915739CA5A1135A9BE7563690FD2A6296A86562023-01-17 10:38:56.102 11241100x8000000000000000104690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.102{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 11241100x8000000000000000104689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.101{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5AC12FDCFBCCC58E1647872A22173B0F0B3002F12023-01-17 10:38:56.101 23542300x8000000000000000104688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.101{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27579CD284E6F696926A042A8E03AE29,SHA256=449A5E65E03DDAFF3EA530CE76B5D76F0C194581AA31B82EFD18C51721AC1E95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.080{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A6BB3FA8A2F080C91655709DA078CFA92328BE252023-01-17 10:38:56.080 11241100x8000000000000000104686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.080{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C891FEBD06FEE963F0AD5AAF18D85308AB0609F2023-01-17 10:38:56.079 11241100x8000000000000000104685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.079{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7CED5EBD66DF6D5734E687D47851F60BFB0C90E42023-01-17 10:38:56.079 11241100x8000000000000000104684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.078{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B49B0BBFC8DACBFDE8D381C3C8AAAD353E7A835A2023-01-17 10:38:56.078 11241100x8000000000000000104683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.078{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DBEE7BC88F52C9048186F82ADA40820CF77715532023-01-17 10:38:56.077 11241100x8000000000000000104682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.077{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\06A234280027C6E371447B622B7AA9D38CCFB9672023-01-17 10:38:56.077 11241100x8000000000000000104681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.076{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\85E4DEDB12D4D6482A35A2656A298BBA0B7E34C62023-01-17 10:38:56.076 11241100x8000000000000000104680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.075{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4518CE7958DB100B46FDA8AEADBFAC74938D32F82023-01-17 10:38:56.075 11241100x8000000000000000104679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.058{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7B5F03BD37F30516364A16363BEDFAC5DE5B0E8C2023-01-17 10:38:56.058 11241100x8000000000000000104678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.057{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\84C6BD7BF11B1C7ADE58E44B05446CC6C4A96B572023-01-17 10:38:56.057 11241100x8000000000000000104677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.057{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F41614A9DF464377D61B8056DD3BA9A08C3214A22023-01-17 10:38:56.057 11241100x8000000000000000104676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.056{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3CCE3B244B9D4C18927BDA83A6A843A6DF8E48092023-01-17 10:38:56.056 11241100x8000000000000000104675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.056{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EFFEF714440C4CFECEF599C3A2FE594FEB97F0F12023-01-17 10:38:56.056 11241100x8000000000000000104674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.055{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C4E72DF409F263CC79FCEC654D7CDE6E7E4C78282023-01-17 10:38:56.055 11241100x8000000000000000104673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.054{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1EAE3A48D0A4A59DE594F36AE83F8099EC189DAB2023-01-17 10:38:56.054 11241100x8000000000000000104672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.053{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\96E554EB6AC4248A43DA320ECCFDB99D4D4A68982023-01-17 10:38:56.053 11241100x8000000000000000104671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.036{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CCBD06E40E06BFA15768D2A380A96C2D44E92F572023-01-17 10:38:56.036 11241100x8000000000000000104670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.035{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A50509DDE72672858C159209F332FD98390C43C62023-01-17 10:38:56.035 11241100x8000000000000000104669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.035{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\895C61624918B96B9E0AF0F0D991DA33984FEFFC2023-01-17 10:38:56.035 11241100x8000000000000000104668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.034{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\991E88C122E6826699A995E64161D39E704D0AAB2023-01-17 10:38:56.034 11241100x8000000000000000104667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.034{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5F8306120713C4044A021B4F4A05C1E61BD2C7FF2023-01-17 10:38:56.033 11241100x8000000000000000104666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.033{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8044C7C0C198ADB0C7F04CF772199682C33C5DED2023-01-17 10:38:56.033 11241100x8000000000000000104665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.032{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9CA4F3444A789C4736E69173A168EE900676A6662023-01-17 10:38:56.032 11241100x8000000000000000104664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.032{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\935951FC5809A45F62181AD89179AF7F2CEABDF02023-01-17 10:38:56.031 11241100x8000000000000000104663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.015{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F0DA6D3449150707CF62BE84FDE39B61F3C2AB12023-01-17 10:38:56.014 11241100x8000000000000000104662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.014{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0422D8640EA2A2735C9E111CC920439EC9350DCD2023-01-17 10:38:56.014 11241100x8000000000000000104661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.014{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\29B89A77CDDA3FF294FF37831C8842197B1F44902023-01-17 10:38:56.013 11241100x8000000000000000104660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.013{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\32799F318CF576C768776C37640E1423F00EF3702023-01-17 10:38:56.013 11241100x8000000000000000104659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.012{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C91AEF39024CCC63E24B9E37185B067ADEC0D082023-01-17 10:38:56.012 11241100x8000000000000000104658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.012{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F4F69008B100FEC77DFE396B22D6EE55F6BCFED2023-01-17 10:38:56.012 11241100x8000000000000000104657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.011{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E66E6F3EE828EA6ECD2D4BADF3BFC2B8B7C56312023-01-17 10:38:56.011 11241100x8000000000000000104656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:56.010{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3B79B06E04AB6BDA7DDB73E84B49713618D1A4972023-01-17 10:38:56.010 23542300x800000000000000070962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:57.805{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC32FE54CFE1013688837F435240E18F,SHA256=C7CE14CC67799AA1FE4F991BC75E9AA63B6AE11BD67A0DE7F486F47734D44F55,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.998{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C55FF6D93473C3E92205955D034463BB7C040A5F2023-01-17 10:38:57.998 11241100x8000000000000000105394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.998{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F5EF9F513EB970E2EA7BB76EF6DDEA13431641652023-01-17 10:38:57.998 11241100x8000000000000000105393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D2882C927990648C4F379CD2E429D19B69BDA962023-01-17 10:38:57.997 11241100x8000000000000000105392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.997{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E908CE58D173330083C1E753E0B8BACA78857FF22023-01-17 10:38:57.997 11241100x8000000000000000105391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.996{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D42990685F55378F98F855AE10A0408ABD190312023-01-17 10:38:57.996 11241100x8000000000000000105390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.995{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4B049B195D52DB6F0104C324F1847D5D2E9DDB662023-01-17 10:38:57.995 11241100x8000000000000000105389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.995{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F47FE8A35A05BB6E38FBA6DEED3CB44E3C0C84462023-01-17 10:38:57.994 11241100x8000000000000000105388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.994{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A5CB0F4555A5B47488E6D71B0558AB799033399F2023-01-17 10:38:57.994 11241100x8000000000000000105387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.978{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4947B324D026C16CF980F0893C51822658DB98F62023-01-17 10:38:57.976 11241100x8000000000000000105386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.976{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3D869E6E47FED7F24D83C8ABC257AFACBEA251062023-01-17 10:38:57.976 11241100x8000000000000000105385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.975{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\91780769668B84073D736130F75DB78D2B0F0CF92023-01-17 10:38:57.975 11241100x8000000000000000105384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.975{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A9E061369EBDD9AFC38426CCA289CD925F98F71F2023-01-17 10:38:57.975 11241100x8000000000000000105383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.974{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1DFFF003859C1E8E3F190A1F9C33684AEC789F8E2023-01-17 10:38:57.974 11241100x8000000000000000105382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.974{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B8619BA0E535C4A213DF853E5BB01B400C1819782023-01-17 10:38:57.973 11241100x8000000000000000105381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.973{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9BDC2C813B357CDA562D10B18E94CE4C5FA6B9E82023-01-17 10:38:57.972 11241100x8000000000000000105380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BD8F8A8DAF4AFC7598A14B4221592FEB3FC65E1D2023-01-17 10:38:57.972 11241100x8000000000000000105379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D83A2060385F6EEFC33714CD0F334C25A32B7C22023-01-17 10:38:57.945 11241100x8000000000000000105378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B152F6CBDF1114F6D27470CBD5197A7DFF79DBFE2023-01-17 10:38:57.945 11241100x8000000000000000105377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AEF76DE0DBB7AACAA598CEAD49B35E6B5FFE787D2023-01-17 10:38:57.945 11241100x8000000000000000105376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E842FB247D92FD6FF4BB332AAA7E237C136013742023-01-17 10:38:57.945 11241100x8000000000000000105375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6146DC1CF6CCD1FA93A102E209DA49BD4B50CEF22023-01-17 10:38:57.945 11241100x8000000000000000105374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9CBFBF91E9BF3EF3279A51E2902457CEE7F6ACFD2023-01-17 10:38:57.945 11241100x8000000000000000105373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\15AAB43D5F747AFA14B8B3CCCC7362A9B1C475F82023-01-17 10:38:57.945 11241100x8000000000000000105372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AF5E727C2B1514B3675CB9F9A84D6CA6094793702023-01-17 10:38:57.945 11241100x8000000000000000105371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\97C24968CA708241C75C3DA21528137D8E19A96D2023-01-17 10:38:57.927 11241100x8000000000000000105370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6BD9A9877BA24EA25C166F8EC0871B5FE855516E2023-01-17 10:38:57.927 11241100x8000000000000000105369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\621E72F3EE4B604FD00E4E5E29E60BE9938377B02023-01-17 10:38:57.927 11241100x8000000000000000105368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\14D285DC0B24A7DCB5920203B9B9D13BB3DDD1502023-01-17 10:38:57.927 11241100x8000000000000000105367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7FADFF82107EED63F3A3E715A299E37C32F4348D2023-01-17 10:38:57.918 11241100x8000000000000000105366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6C5BFDEB2AEEF2E40A5B12F3035AE6DD52616FD22023-01-17 10:38:57.918 11241100x8000000000000000105365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\79AC2CC00C48D3783CD3B69006578F8AEF2D9CAE2023-01-17 10:38:57.918 11241100x8000000000000000105364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E1FDC22F8D489877C45D700DCEAB4B2365CA18562023-01-17 10:38:57.918 11241100x8000000000000000105363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F3D873D801852A03B045822377465843FE3FE9A52023-01-17 10:38:57.900 11241100x8000000000000000105362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A7B3F4847CE28521B918644A165C275EE11B3F042023-01-17 10:38:57.900 11241100x8000000000000000105361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AA2101A86C6F4548272E87C29C5EBCE48940DC982023-01-17 10:38:57.900 11241100x8000000000000000105360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7DDE57EB5203471814AD340C7A3E91103A0B64492023-01-17 10:38:57.900 11241100x8000000000000000105359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0E9FA8C3119ACFB315B6CBBEC3DBD835A7B566D52023-01-17 10:38:57.900 11241100x8000000000000000105358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\487ACDA7FA2421B4740026B5EAE0B1042DC17FB62023-01-17 10:38:57.900 11241100x8000000000000000105357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\10D01611F37304B01BD7EB223C3D9631A05C17A82023-01-17 10:38:57.900 11241100x8000000000000000105356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7CAD25FA7F04D55D190B663EC4CA89CD24F501032023-01-17 10:38:57.900 11241100x8000000000000000105355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2A91374527133152BAE60BD30CC23AFED97627D2023-01-17 10:38:57.882 11241100x8000000000000000105354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BF7DB59186C50CD9264E8E91604C1FE946D4F0262023-01-17 10:38:57.882 11241100x8000000000000000105353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B2368A8371D067C613DE7EC0582FF0D59CC794C62023-01-17 10:38:57.882 11241100x8000000000000000105352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C1B260039BF7888D99F45605FBE9334F2421018C2023-01-17 10:38:57.882 11241100x8000000000000000105351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1F9A5A4F61F49C4F9674411AE6815B704531D2E62023-01-17 10:38:57.882 11241100x8000000000000000105350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ECBE462A7967CB0E69293D33DB1E9B5088D43CAC2023-01-17 10:38:57.881 11241100x8000000000000000105349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.881{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7EB7DB17BB0161A8038A8597A21796A2840F267B2023-01-17 10:38:57.881 11241100x8000000000000000105348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.872{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2FA06FF074BBF669B138972E8A0594962850D7EE2023-01-17 10:38:57.872 11241100x8000000000000000105347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.863{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A53CFF92D80DE3B6D818B2F93AC4886DD4C295EB2023-01-17 10:38:57.863 11241100x8000000000000000105346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F5634202E33D4E0D87636372DC53F31EC3E82432023-01-17 10:38:57.854 11241100x8000000000000000105345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\78A1DDD0B75636D4855E03B93CB0EF70030AFE362023-01-17 10:38:57.854 11241100x8000000000000000105344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FB70145916E7124D09B0E4C65B67C310D7ADC87C2023-01-17 10:38:57.854 11241100x8000000000000000105343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A369523890BC9FD6E5D94BD5AB9969FA19D4685B2023-01-17 10:38:57.854 11241100x8000000000000000105342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ECCDD2864B0FC5ED61D007BFE83AE7A1BDE37DC22023-01-17 10:38:57.854 11241100x8000000000000000105341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F95C0CFC2DB5C30687286977329928F801B032732023-01-17 10:38:57.854 11241100x8000000000000000105340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F211952873CF57221EE39011D9CA3CA95A35C7B02023-01-17 10:38:57.854 11241100x8000000000000000105339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BD337B546816C9A0BADC7FFDACE2E4D3C834A88F2023-01-17 10:38:57.836 11241100x8000000000000000105338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9ED660307122C177908D2FBB44F007997F7DAF552023-01-17 10:38:57.836 11241100x8000000000000000105337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2EB25E876B0816E893C071B55DD56335D4D415222023-01-17 10:38:57.836 11241100x8000000000000000105336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\40B60088F8FB170A76A0900CCD9BDFF3433CDA912023-01-17 10:38:57.836 11241100x8000000000000000105335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F34291A55BFC3F009F5B4935DEC9756B92C2CF372023-01-17 10:38:57.836 11241100x8000000000000000105334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7AD8B93445C83DFFD8D9C74F6174B3C7618CA9B62023-01-17 10:38:57.836 11241100x8000000000000000105333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C45B56688C5898343FF6BDBC0E9A78CF236D4D2C2023-01-17 10:38:57.836 11241100x8000000000000000105332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\25D44DD3CDD230AAB85D8CEB062A05AAA631087D2023-01-17 10:38:57.836 11241100x8000000000000000105331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.818{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CD54F85657401659E2447298F9CCF6D3496EE7EC2023-01-17 10:38:57.818 11241100x8000000000000000105330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.818{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9B890C7C1B3CB733712319D955A336C8AE72BF02023-01-17 10:38:57.818 11241100x8000000000000000105329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.818{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4321908D0C970A767595B1DEB3B1B31845A518072023-01-17 10:38:57.818 11241100x8000000000000000105328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.818{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\27E89EF41AAAC3F528CF8A6437AC8DEA397F15892023-01-17 10:38:57.809 11241100x8000000000000000105327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\03D6A91D5BCC860AB127428109B7FAEF180035312023-01-17 10:38:57.809 11241100x8000000000000000105326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1C19C74EF9BC196CE73B5A82E3C9FB1874F7F3D32023-01-17 10:38:57.809 11241100x8000000000000000105325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3ED4E0590F60A46B954792E00E2141E76D0FBCA02023-01-17 10:38:57.809 11241100x8000000000000000105324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D96A2504AC2820F4539241EC0215458A997968ED2023-01-17 10:38:57.809 11241100x8000000000000000105323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E4ADC2BCBE3EDBEE0F300AFA2373C83173B590B2023-01-17 10:38:57.791 11241100x8000000000000000105322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9817B548479A09BE396400A0AD3F81510523A0B62023-01-17 10:38:57.791 11241100x8000000000000000105321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9FFA4866430F83471AA43239F9084A53ECEAFD3C2023-01-17 10:38:57.791 11241100x8000000000000000105320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\24C0F89BFF2ACB57466EF3A09D666607D973424A2023-01-17 10:38:57.791 11241100x8000000000000000105319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.782{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F2CAF9FC63B8132FAAC7D87D176F6C10CF57AD252023-01-17 10:38:57.782 11241100x8000000000000000105318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.782{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\87B493DDDA8B943E8EEC5DD9A5847E9D44FD54072023-01-17 10:38:57.782 11241100x8000000000000000105317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.782{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\07511FFACCC5C16A77DB75B070B90A74C6D8A6D22023-01-17 10:38:57.782 11241100x8000000000000000105316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.782{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2A2F2C49639A69B18F6A3173B994B1793B6ABDAD2023-01-17 10:38:57.782 11241100x8000000000000000105315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.771{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3DFA7873B1EED580B5FB23047F136FC15F974FB92023-01-17 10:38:57.771 11241100x8000000000000000105314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.770{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9118E508E659DE097B275171B6C3D59796B5E1F62023-01-17 10:38:57.770 11241100x8000000000000000105313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.770{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2C033113E46D3048593E0378895288D5FDED56572023-01-17 10:38:57.770 11241100x8000000000000000105312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\263CF8961697DBD015011A1DE6CB726247A67CDD2023-01-17 10:38:57.769 11241100x8000000000000000105311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4B7863CB48E15380A812DA83BED21B1F69DC5E132023-01-17 10:38:57.769 11241100x8000000000000000105310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.768{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\85844B27C2BB66E66BC1A46965B5BA602E69516B2023-01-17 10:38:57.768 11241100x8000000000000000105309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.767{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CA41C52CB344F5C1C4DC7894655E23EF608004862023-01-17 10:38:57.767 11241100x8000000000000000105308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.767{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FC354EF881AD829ED79EBE884DA653820025C7822023-01-17 10:38:57.767 11241100x8000000000000000105307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0799353D7C14081ED2D262A30970553EA86278AD2023-01-17 10:38:57.745 11241100x8000000000000000105306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D521A4D8FE14B5C918AEEA940E61770EBC78F9822023-01-17 10:38:57.745 11241100x8000000000000000105305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6474276F68D8777752E4FFF747EE125EC2AAE7C32023-01-17 10:38:57.745 11241100x8000000000000000105304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\464F68ECA8180E504722477B8B1B570281D5B8DC2023-01-17 10:38:57.745 11241100x8000000000000000105303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\928AEF2AF686F0B45ECDD34100533290C13E47652023-01-17 10:38:57.745 11241100x8000000000000000105302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AE0EB97EAA5805E0E110B2CCCE8842FFB67AA1A02023-01-17 10:38:57.745 11241100x8000000000000000105301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F8747F48E3A7558B109ECCD883EA68B5E3464E0F2023-01-17 10:38:57.745 11241100x8000000000000000105300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FDADCD16E8FE00D5142D7570D21899534B9A39422023-01-17 10:38:57.745 11241100x8000000000000000105299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.727{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.727{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA09F82914462529CE19DCC9D19F580,SHA256=B84EE79AFD56ED30B44A2B0E012E55F82462005E4C60C62453AE6DA50138AC85,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.727{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\32DCF0BA23552E394B7403583A80C7A3A53D30ED2023-01-17 10:38:57.727 11241100x8000000000000000105296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EB4F0D4BB9E2818F232DCFEBEAC6611ADDCC1D1C2023-01-17 10:38:57.718 11241100x8000000000000000105295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\898781D96C089FAB58737E7E528C06922FFF47862023-01-17 10:38:57.718 11241100x8000000000000000105294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\63D49F453B39558E34FDADC9618207E95A30E43B2023-01-17 10:38:57.718 11241100x8000000000000000105293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B54C4C25BC0B68565D817B116BE3AFA5396C2BCA2023-01-17 10:38:57.718 11241100x8000000000000000105292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ED0CAA8BAF2AF51A8207B51AB5166DB697EF3CD22023-01-17 10:38:57.718 11241100x8000000000000000105291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\28C68B5F41D0DAFEA49F2DAA5131EE61EA63D7ED2023-01-17 10:38:57.718 11241100x8000000000000000105290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E1F19E380D69E0E07F8312011EFA8261B25953352023-01-17 10:38:57.718 11241100x8000000000000000105289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EF216E64245F8D27131A0B2713117513026ED31A2023-01-17 10:38:57.691 11241100x8000000000000000105288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0D490E5262F1C4B7BBF403016749A4F1EC68FC852023-01-17 10:38:57.691 11241100x8000000000000000105287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\436A40A1F769812D6F0271D4B6B8BE796A687D6C2023-01-17 10:38:57.691 11241100x8000000000000000105286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3690547B4FECF32823B8C5D2EDB02623C11C08A62023-01-17 10:38:57.691 11241100x8000000000000000105285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EDCADDAE8CE1FF45FC6C769F0DB020A865F0312B2023-01-17 10:38:57.691 11241100x8000000000000000105284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\17715DDA5572A1F8C54E72135A976509B04D04212023-01-17 10:38:57.691 11241100x8000000000000000105283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F5683DB16DB061140A2971E193D8975245FAFC942023-01-17 10:38:57.691 11241100x8000000000000000105282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9B69E5F50EB6BDBE78543A2EC26DEDB3B0873D7C2023-01-17 10:38:57.691 11241100x8000000000000000105281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1E3866B584D906DD8CB8840AB2070142E2DEA38A2023-01-17 10:38:57.691 23542300x8000000000000000105280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.691{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\doomed\18231MD5=F47BB47448FBD56928E8B3855EC75E46,SHA256=CFCC221E9881A0A4069B40EBB28CEAD6E80F386B1711AB4BC608F59D376B8711,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.682{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0DE541DDFD3AEFBA4F544DABBB10E7461E6814182023-01-17 10:38:57.682 11241100x8000000000000000105278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.682{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6ADAE2D724A89D977973BB050C78EA36468D7CD62023-01-17 10:38:57.682 11241100x8000000000000000105277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.682{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2D00CA8CE6BED9FDBBDE29012C9BC4A731B222322023-01-17 10:38:57.682 11241100x8000000000000000105276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.682{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FC926BF17E74F7913C49C4896EAFD5A0001018C62023-01-17 10:38:57.682 11241100x8000000000000000105275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.680{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6E6C17BCA5400F5A009A09AC3246BDDD289570ED2023-01-17 10:38:57.680 11241100x8000000000000000105274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.680{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A54E75E065F3BB1F71874D55D0DC2CFFD31F2B872023-01-17 10:38:57.680 11241100x8000000000000000105273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.671{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E00A20E5B69916524CAD738C64646BA00B39A80A2023-01-17 10:38:57.671 11241100x8000000000000000105272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.671{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E1CB6674D06ADBABCFD26E46587BC7FCDC184A442023-01-17 10:38:57.671 11241100x8000000000000000105271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FFC53DB04B32328D797F901711ABDDACA0402D1C2023-01-17 10:38:57.654 11241100x8000000000000000105270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4534F3D1E7C12F7C203903239E88AFBDA833E7252023-01-17 10:38:57.654 11241100x8000000000000000105269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\65083EDB905F2A12A568AEC62581FE7B17C8BC992023-01-17 10:38:57.654 11241100x8000000000000000105268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\648D7B4B68163ACC356AE415D6A3F54F6EC88BEF2023-01-17 10:38:57.654 11241100x8000000000000000105267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3D16F5C8848242BFFF5A6C9EE2C615B9754D7A452023-01-17 10:38:57.654 11241100x8000000000000000105266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\417DB1F4D9140D63AD108B67FA0C3994B03D7DA32023-01-17 10:38:57.654 11241100x8000000000000000105265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C2055F47AC31F3975672A4EF81D8725FD55C7B02023-01-17 10:38:57.654 11241100x8000000000000000105264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.654{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ABBFD9B732613D3A005622B4D0DDC3443280F8062023-01-17 10:38:57.654 11241100x8000000000000000105263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.636{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CE6DF40B1287C7B9BEFEF83ED5D089A8FB861D972023-01-17 10:38:57.636 11241100x8000000000000000105262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.636{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CFCD1F741FE2C2515E61964B9F2E7BCBED52767C2023-01-17 10:38:57.636 11241100x8000000000000000105261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.636{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FFB3D9EBF34630F485F6D3364DCDA7E7D2FDF34A2023-01-17 10:38:57.636 11241100x8000000000000000105260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.636{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\82E14B091197006B6E938EBD880F4DF05610794F2023-01-17 10:38:57.636 11241100x8000000000000000105259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.636{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\15B97E2F19489CC28709BCEEA7F2D2B6B82ACED92023-01-17 10:38:57.636 11241100x8000000000000000105258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.636{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D0678A36AADFD615B4368B486A0CE6C4F1D39F5F2023-01-17 10:38:57.636 11241100x8000000000000000105257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.636{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\310125779FD0422A352E5D33EFB29F030362E5002023-01-17 10:38:57.636 11241100x8000000000000000105256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.627{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\37305C890A0224261B9ECF0E0A0CA3D56AC468A22023-01-17 10:38:57.627 11241100x8000000000000000105255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D40F673F71CD81DD9A996311CC7DF035BB648582023-01-17 10:38:57.609 11241100x8000000000000000105254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D536BDD3058AB323C1B9087C6A7F9F71907A55922023-01-17 10:38:57.609 11241100x8000000000000000105253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\38F9EE70DAF1521B5860AEAFB6B73A413B876CE52023-01-17 10:38:57.609 11241100x8000000000000000105252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DFF93A65C99D55A5967831EF26099E9730BCEA6B2023-01-17 10:38:57.609 11241100x8000000000000000105251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\98F7BFBA2A44B4E9268375709EF6D90133B6BA5B2023-01-17 10:38:57.609 11241100x8000000000000000105250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E7EE24ED5B61F9E11FC00DE4C671FB128004C0062023-01-17 10:38:57.609 11241100x8000000000000000105249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7EDC0A2A2FD4F8CFB1C168787792CECF10FB04A62023-01-17 10:38:57.609 11241100x8000000000000000105248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.609{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7ACE68A283B8DE959B021D50071790FF2AFE50712023-01-17 10:38:57.609 11241100x8000000000000000105247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.591{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\32CB4C554F16735D1BE04969770310FC2166695B2023-01-17 10:38:57.591 11241100x8000000000000000105246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.591{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\11C8A0C44ACCFFF8B4F37581C0B14A4369BEFC112023-01-17 10:38:57.591 11241100x8000000000000000105245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.591{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B0769CE4B5FE061115D57616A2BE06B9F89C41FE2023-01-17 10:38:57.582 11241100x8000000000000000105244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\756F7FA1696DA0E2FF3CCB1E4708B8CFA48BBA4D2023-01-17 10:38:57.582 11241100x8000000000000000105243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ACEBB019AC830CD54164E764FE05468123F0F6622023-01-17 10:38:57.582 11241100x8000000000000000105242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0D5D0EA87E8CC16CFE0637E3E7BDDB5D49076A092023-01-17 10:38:57.582 11241100x8000000000000000105241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3F0638C0B01C112ACF05023548464CEC2A07AF8D2023-01-17 10:38:57.582 11241100x8000000000000000105240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.582{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0D5A27C085B7B4989BA1A315991AD1A0DAC8AD712023-01-17 10:38:57.582 11241100x8000000000000000105239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.567{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\408986BBE5B7291A4FC06FB3A30E2E676EC9D50B2023-01-17 10:38:57.566 11241100x8000000000000000105238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.566{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\891F4B5FFD2E0DB3A29CF2B051FAF16FA8E154F72023-01-17 10:38:57.566 11241100x8000000000000000105237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.565{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\31C580FA8313F7C8F1F40707C034B4019448C1322023-01-17 10:38:57.565 11241100x8000000000000000105236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.564{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B3D132244280A6B0EA32F666A3CD6F72A09685BC2023-01-17 10:38:57.564 11241100x8000000000000000105235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.564{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.564{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED092595187F1E89040C1428B37BCE98,SHA256=2E84EE7088850C598325350675E73050D24ECD0A699EAAD6E910C277EA0B3254,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.563{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\453A79318E0B7845D0A7228C72D9EE885BE0746B2023-01-17 10:38:57.563 11241100x8000000000000000105232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.563{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\28F1130C65B82F7B325E856D0770968A3C2807892023-01-17 10:38:57.563 11241100x8000000000000000105231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.554{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B2114B4420DE74465F78B627B918B8C5307428C2023-01-17 10:38:57.554 11241100x8000000000000000105230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.554{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\37374FAC6E2C17B231D1EDBDE7131E6AECBC316D2023-01-17 10:38:57.554 11241100x8000000000000000105229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.554{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.554{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6427E1A6A528C3D4E4A1DBC2B3DCF635,SHA256=B60A9F60ACFBF171AFBBAC6A086E4D7C91B4D1E171430EF689B6C95A36888902,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.536{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D895A37014DFD56E39090E00D7405D2CEC9FDD312023-01-17 10:38:57.536 11241100x8000000000000000105226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.536{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E956D206DA4D33570E1BB4C66009606BCC2E35382023-01-17 10:38:57.536 11241100x8000000000000000105225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.536{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8EBBFE48158DB366180E03A70898CA6E826892FD2023-01-17 10:38:57.536 11241100x8000000000000000105224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.536{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A9544A3C0AF90FD0B9B254B1F1C86146C5D78D122023-01-17 10:38:57.536 11241100x8000000000000000105223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.536{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\59DA92CF3D3E13E88DA4B7003679A471AFEF0FB02023-01-17 10:38:57.536 11241100x8000000000000000105222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.536{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B297B73454E3CF0402E634615D1E68A6F3BE11272023-01-17 10:38:57.536 11241100x8000000000000000105221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.536{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\803F58594C30667A4D6864E9CA5503484A0827AE2023-01-17 10:38:57.536 11241100x8000000000000000105220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.536{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\62528B22FBFFCB4437B7055D35F51FDE0CAB9BE12023-01-17 10:38:57.536 11241100x8000000000000000105219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6684C57F3C3157D8434BEEE087C10B85411F55F22023-01-17 10:38:57.518 11241100x8000000000000000105218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2811E3A1784A416A1F878D78242204F1575DC6402023-01-17 10:38:57.518 11241100x8000000000000000105217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F05F4B0886E027C6F44B09F79874407AA826D4F12023-01-17 10:38:57.518 11241100x8000000000000000105216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F2FEE011172805B68FEEF0B23F728C630942A8AF2023-01-17 10:38:57.518 11241100x8000000000000000105215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8BE56D2449B839E67E6B0A9A241C810E4033E1462023-01-17 10:38:57.518 11241100x8000000000000000105214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7DD4DBD629025DD1F83366447B8C3BB9ED76FA212023-01-17 10:38:57.518 11241100x8000000000000000105213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0546DBB379AF79E027D7BD3964914161912316F72023-01-17 10:38:57.518 11241100x8000000000000000105212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.518{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1AD4747586A52CC1D87C1425E34DA985E5BC5C9C2023-01-17 10:38:57.518 11241100x8000000000000000105211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.500{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9C9B0A28C66A91E1750A25124E2174D5AE72DF92023-01-17 10:38:57.500 11241100x8000000000000000105210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.500{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AE76B916BCD74C2B08E96FAFFE4C4F830CF2CBD02023-01-17 10:38:57.500 11241100x8000000000000000105209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.491{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D09A31E191E527BCE01F73CDDFEB036E41FBA5F2023-01-17 10:38:57.491 11241100x8000000000000000105208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.491{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3144802E23185E3F4E81CBFE6DF1E5FCD25F5C742023-01-17 10:38:57.491 11241100x8000000000000000105207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.491{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F70D5CDCA9C8CB39685BD35C8DD0C9F6868A4F382023-01-17 10:38:57.491 11241100x8000000000000000105206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.491{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D73C4F0ADBCC6A51C4443FB6CD1058231CEB5C682023-01-17 10:38:57.491 11241100x8000000000000000105205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.491{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2766195C6454006FEF1BD8D0FAFD89B8474262822023-01-17 10:38:57.491 11241100x8000000000000000105204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.491{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4BD451CB2214EFEA7044614AF8C3B2A5F3A13A792023-01-17 10:38:57.491 11241100x8000000000000000105203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\67CBA90B0A233C828C30516CD133A4F54D8DE8682023-01-17 10:38:57.471 11241100x8000000000000000105202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\089A24AFD7B4C2240ED62C091D2B6399047BD66E2023-01-17 10:38:57.471 11241100x8000000000000000105201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C16936518C44C13E44CB7307F9E7826097E486952023-01-17 10:38:57.471 11241100x8000000000000000105200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\60506C606E0AA263FE7760C6AE2B7E8A6FEFE3B92023-01-17 10:38:57.471 11241100x8000000000000000105199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5A0F40C4EEE786CDC0FDAF19EC62A8007EF184DC2023-01-17 10:38:57.471 11241100x8000000000000000105198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\61EA98FF3177701DC345A05DC89FA2A968CEE63B2023-01-17 10:38:57.471 11241100x8000000000000000105197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\02D03B0187F666784932E60A97B688B66AE315B82023-01-17 10:38:57.471 11241100x8000000000000000105196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.471{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2787DE2820A5CDD01978D00E4550F41BEC8F63812023-01-17 10:38:57.471 11241100x8000000000000000105195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8533250550E325088EC5328381DD649E3C5E80102023-01-17 10:38:57.445 11241100x8000000000000000105194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A3CCF745A7EFF9DCAC43542692C16DBC8B1A20972023-01-17 10:38:57.445 11241100x8000000000000000105193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\914B022A0EEB05477AECC27167ECC4AE068FD9292023-01-17 10:38:57.445 11241100x8000000000000000105192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\210963866FE6BD0831A4CA6A3956AC16D74A66942023-01-17 10:38:57.445 11241100x8000000000000000105191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\50C456134936BE38D689438DE08DDD34D0C44D012023-01-17 10:38:57.445 11241100x8000000000000000105190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1C8B7AF78E2471D4BDA765C7A2E9C6B653E0DF482023-01-17 10:38:57.445 11241100x8000000000000000105189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3F9065751ACA4EFE73652FE54C55992CF902AD282023-01-17 10:38:57.445 11241100x8000000000000000105188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.445{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D47DCFA2BF28B85F4C006FE2364C77DA87258B772023-01-17 10:38:57.445 11241100x8000000000000000105187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.427{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F118ECFB06A9DE24A1514E97FF4903CDD74928E62023-01-17 10:38:57.427 11241100x8000000000000000105186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.427{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\25CB486273A861CB40459328715928E0DCC3615F2023-01-17 10:38:57.427 11241100x8000000000000000105185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.427{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E0F415FDD27C24B3D46F5747C9FB8BCFE34D25312023-01-17 10:38:57.427 11241100x8000000000000000105184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.427{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F22D6EB089027F575172AC8E7E04A11B7B2EE0932023-01-17 10:38:57.427 11241100x8000000000000000105183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.427{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C4165CC46EE3F5C1BE83D41E5F5AAB28D188256F2023-01-17 10:38:57.427 11241100x8000000000000000105182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.427{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\930677D3C4F8AB00A8131243289E234E8275E3122023-01-17 10:38:57.427 11241100x8000000000000000105181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.418{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3E2A052D26EC8CD53F2CAC9EEBDA8B0362A2BF712023-01-17 10:38:57.418 11241100x8000000000000000105180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.418{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CFD90B0773E1A7ECBFE07F19A84BF323796E36DB2023-01-17 10:38:57.418 11241100x8000000000000000105179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D1F3D9EA8720B0551599D81352B18990A3CA2A102023-01-17 10:38:57.400 11241100x8000000000000000105178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7BBE62AB0EDDCC3DBA38B20C7DA8490FC13826792023-01-17 10:38:57.400 11241100x8000000000000000105177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7041218A2ED59F43654E7BFCD93CDCC5C01416D42023-01-17 10:38:57.400 11241100x8000000000000000105176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D1D0B7DD07F34719E71A96701D3F6483A758C59F2023-01-17 10:38:57.400 11241100x8000000000000000105175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\075472D0635656D46D92B22D8A62341B728FA9DF2023-01-17 10:38:57.400 11241100x8000000000000000105174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3E7F96B33CF4DBC70D2CBF80F5D0B4D37FA94FD12023-01-17 10:38:57.400 11241100x8000000000000000105173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\00E4834B3CFBFCEDD2D78FB0B61EE5955176910F2023-01-17 10:38:57.400 11241100x8000000000000000105172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.400{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\48DFB437BAB40DF7BF6C3871C71EAFE59DFF8B8A2023-01-17 10:38:57.400 11241100x8000000000000000105171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.382{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8A1D8A61D9BF2BC9CA32A8BFE96255E7E6F96DEE2023-01-17 10:38:57.382 11241100x8000000000000000105170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.382{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\131C88A74CB0D1A9AD91F637D07059B863F74F572023-01-17 10:38:57.382 11241100x8000000000000000105169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.382{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7708779B8126BDEBC5B6B46FE41AD7E7F5A759012023-01-17 10:38:57.382 11241100x8000000000000000105168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.382{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1DDB01ADA350A5E6A8EDFC324FB460D42206122C2023-01-17 10:38:57.382 11241100x8000000000000000105167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.382{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5CC2FEFF071CA3017BF4E5204AF16B3863BA6AEB2023-01-17 10:38:57.382 11241100x8000000000000000105166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.382{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C5D0FBA3DDBFF41A8D27638A1549D0BBF99919A32023-01-17 10:38:57.382 11241100x8000000000000000105165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.382{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0EA6B74DA73DA058D0A3E45AE9530765BC001EAD2023-01-17 10:38:57.382 11241100x8000000000000000105164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.380{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6219C36ED0401723FBD12760F190ACBF9DAD67382023-01-17 10:38:57.380 11241100x8000000000000000105163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6AB40611F2288B2E495737BA069AF40FA40C91F12023-01-17 10:38:57.355 11241100x8000000000000000105162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F6ED0EEB2317215D2B790E71965EA6394D13C2082023-01-17 10:38:57.355 11241100x8000000000000000105161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6FBE064E73EEA78BD9C570ED3F19FFE569DF7CC12023-01-17 10:38:57.355 11241100x8000000000000000105160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3038C967348333412871CBC8C7EA25F956F525162023-01-17 10:38:57.355 11241100x8000000000000000105159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3CA06DAABF07A9C609036ED1F58BA36D5396400C2023-01-17 10:38:57.355 11241100x8000000000000000105158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ADCCFA9B4A4C883B870957E617D8A18ACA017E562023-01-17 10:38:57.355 11241100x8000000000000000105157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4B414420121E1CD067CD43812521D972FA08C1532023-01-17 10:38:57.355 11241100x8000000000000000105156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.355{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DA69ACCE87C811B185A493E3C6A8D11D00A6FF7F2023-01-17 10:38:57.355 11241100x8000000000000000105155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.343{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\85B362EFD530CC37628659D1F22F8C7D8CBE9BD72023-01-17 10:38:57.343 11241100x8000000000000000105154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.342{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B678A34253C0D4D86029630283ED87195657FFB32023-01-17 10:38:57.342 11241100x8000000000000000105153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.342{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\22895D733ABE949D02FF1CC851F0916DE9456BDB2023-01-17 10:38:57.342 11241100x8000000000000000105152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.342{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0B4943837463C26AA902D47972D75183FC95894B2023-01-17 10:38:57.341 11241100x8000000000000000105151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.341{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D9E1E3AE2BB2B36E457D598195C73EA167D0F5312023-01-17 10:38:57.341 11241100x8000000000000000105150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.341{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\16F39E6505D5167BB775D4B7F9606EA8A6A432742023-01-17 10:38:57.340 11241100x8000000000000000105149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.340{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\49F27BE05E570284BFD40DB783E3280D3EA07BEF2023-01-17 10:38:57.340 11241100x8000000000000000105148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.338{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5DAAE5DEA4333351A0ABFD8551F08CFED1F176B32023-01-17 10:38:57.337 11241100x8000000000000000105147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.321{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\75AFEC12F627F4BB020A446B9A9A59D0744BDA592023-01-17 10:38:57.320 11241100x8000000000000000105146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.320{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2314DD9D65CBF44C5DB434189D2B4373300535D2023-01-17 10:38:57.320 11241100x8000000000000000105145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.319{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\773D6BF47E9658767BEF3DC3EFF191388CF0B6222023-01-17 10:38:57.319 11241100x8000000000000000105144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.319{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7A97675AEB1A58A8F422EABB6A3156DB4D70D0842023-01-17 10:38:57.319 11241100x8000000000000000105143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.318{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A5E071469DD445A73A3F2251C74E6610CEC7539D2023-01-17 10:38:57.318 11241100x8000000000000000105142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.318{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\662034B4672EAD08BF502D93382F50EE910107FF2023-01-17 10:38:57.318 11241100x8000000000000000105141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.317{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\91BD3A38D1DDD1017BFBE4773DBFB608E336B9532023-01-17 10:38:57.317 11241100x8000000000000000105140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.316{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C43C53F7BB082E15448E15EE9AA89E8E0C4374772023-01-17 10:38:57.316 11241100x8000000000000000105139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.299{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F0BBBE3BA708DCE0ED81C546327DD2789EDD26152023-01-17 10:38:57.298 11241100x8000000000000000105138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.298{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\537B370D97CFFE8836B277A45C7BF1274E0AD6DE2023-01-17 10:38:57.298 11241100x8000000000000000105137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.297{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2FB5B6D924046DD886E6CA1E0BC4735240D958DD2023-01-17 10:38:57.297 11241100x8000000000000000105136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.297{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\436965BD6765690AF2E93A947DFFA146E81DA0952023-01-17 10:38:57.296 11241100x8000000000000000105135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.296{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\51168BD79E2619231650F1F19DB58BF3471010A92023-01-17 10:38:57.296 11241100x8000000000000000105134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.295{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\73F13B28B91854EC92EDEE27D9A1BA97BAC859EB2023-01-17 10:38:57.295 11241100x8000000000000000105133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.295{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7F6DEED3C35691052F996CA8C2F1D4A587EB755A2023-01-17 10:38:57.294 11241100x8000000000000000105132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.293{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE0FF2C96CC924794FBB4AF5EA8D1E8E89509C472023-01-17 10:38:57.293 11241100x8000000000000000105131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E622B5F50F6093CDD06F513915789A82BB3A7AE2023-01-17 10:38:57.273 11241100x8000000000000000105130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5B82EC576439DC1CB12D7575D77D2FBE61A316762023-01-17 10:38:57.272 11241100x8000000000000000105129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.272{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D2B98CE3E9F666FA06D1E908489895261660B5F2023-01-17 10:38:57.272 11241100x8000000000000000105128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.272{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B557218D91A2259F8B89532F38E91E5E96B0D4C62023-01-17 10:38:57.271 11241100x8000000000000000105127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.271{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\866121719F62876EB17617CDB134128E1C97F3192023-01-17 10:38:57.271 11241100x8000000000000000105126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.270{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CD8E438079C7DF9676EA6AC730B908EB77E7264B2023-01-17 10:38:57.270 11241100x8000000000000000105125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\90DF9043CCBB427E7D07F330CEB1D3520EA244672023-01-17 10:38:57.269 11241100x8000000000000000105124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8022700798B3409043628C6C7D3304783738E0472023-01-17 10:38:57.268 11241100x8000000000000000105123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.251{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C665F789EE3C5E1233327C2D36C4BC4D43C724E82023-01-17 10:38:57.251 11241100x8000000000000000105122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.251{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A34FB7921F963B40DD358BF44224C5ACD34FE84E2023-01-17 10:38:57.251 11241100x8000000000000000105121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9CF845F8053EF4ACB4FF431A085EE71825D7BAF2023-01-17 10:38:57.250 11241100x8000000000000000105120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0EA60D3DC9A83363A5121A8A8E9F3E2E8D7C02D92023-01-17 10:38:57.250 11241100x8000000000000000105119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.249{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2B2B2D153CD58762F584A213CD8D3EB2CBD872B02023-01-17 10:38:57.248 11241100x8000000000000000105118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.247{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AE5920613666EDF3FB97D38B814F55CB24560D282023-01-17 10:38:57.246 11241100x8000000000000000105117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.246{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\76AF196B7E842967D8C5FA8DDC99895681C242672023-01-17 10:38:57.245 11241100x8000000000000000105116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.245{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\00BB77BC7A20E6BC735D09FE5E8D99560575A4062023-01-17 10:38:57.245 11241100x8000000000000000105115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.227{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6034BBB791C12C8AA0F1FE5059D9E165B26CA25D2023-01-17 10:38:57.227 11241100x8000000000000000105114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.227{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\876BE65E217BB5BFFEE8170D3F926272F8DFFF542023-01-17 10:38:57.227 11241100x8000000000000000105113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.226{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D844A95E8A15AA9DB2D7575066ABABFAB40EA07B2023-01-17 10:38:57.226 11241100x8000000000000000105112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.225{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1D8D21F1052CFBB1DC4D74EACC9B63E5A9945CB12023-01-17 10:38:57.225 11241100x8000000000000000105111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.225{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1F7ABC0FBDB7A4B2C87571910B05436357559B292023-01-17 10:38:57.225 11241100x8000000000000000105110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.224{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1EB2A1732510E3A7D210842CB2D0E83FBF7F7EEB2023-01-17 10:38:57.224 11241100x8000000000000000105109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.224{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7ECE726400A9F0CEC1E550B933615638DA28CEBB2023-01-17 10:38:57.224 11241100x8000000000000000105108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.223{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3C76677CB260329995B991AA400CF3E0D46B3F112023-01-17 10:38:57.223 11241100x8000000000000000105107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.205{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EDB1E1FAFEF1C33C78663601B92BEF970E47A1F62023-01-17 10:38:57.204 11241100x8000000000000000105106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E597809E0D8AEB27F77826982937369768598CC22023-01-17 10:38:57.204 11241100x8000000000000000105105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.203{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D8D6E1FCBD7E3C91ACA4B2FE3924717DAFA545A2023-01-17 10:38:57.203 11241100x8000000000000000105104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.203{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E80C010FAFFE183CC6B6EC96A0387FF2082F58C42023-01-17 10:38:57.202 11241100x8000000000000000105103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.202{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\566008BCFBF2BC4164685211E531015389361D452023-01-17 10:38:57.201 11241100x8000000000000000105102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.201{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\30BEFBBB694A38939D7FFCD4CC67A5C185B25B2B2023-01-17 10:38:57.201 11241100x8000000000000000105101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.200{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\89CA25D4AF4F41A03DE99925D9C9F9F12DBCF1F92023-01-17 10:38:57.200 11241100x8000000000000000105100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.199{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D3068D95854F134D95A4F99AC726E9DB395B0B72023-01-17 10:38:57.199 11241100x8000000000000000105099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.182{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\332A90D3D9B6F5D996458DF837E4257C9E773A7D2023-01-17 10:38:57.182 11241100x8000000000000000105098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.181{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\03E2CCF0F622B84F087E8765B25E1B9488E647C62023-01-17 10:38:57.181 11241100x8000000000000000105097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.181{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1A98D5A10C8F626ED619371F3F4258BFA1A96CE22023-01-17 10:38:57.180 11241100x8000000000000000105096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.180{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D5A22C4D6961DAC18457B596E4F9591505D2EC02023-01-17 10:38:57.180 11241100x8000000000000000105095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2F7AD320C9A19A2E093D62B0C379ED46D0404FE32023-01-17 10:38:57.179 11241100x8000000000000000105094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5EA9BFE62314AA46F58502169DC9FFE992EE89A32023-01-17 10:38:57.179 11241100x8000000000000000105093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.178{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F49E90F6E5242D79C092AE7FD645FA2331B02F12023-01-17 10:38:57.178 11241100x8000000000000000105092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.177{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\918F9494F2C8DB2F3ACB1D71C723B4A0918C77FD2023-01-17 10:38:57.177 11241100x8000000000000000105091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.160{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C5B4919D99773E0F8FEA6CBDFFD511234908FB1B2023-01-17 10:38:57.160 11241100x8000000000000000105090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.159{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\689E93AE616391A5FCABAB703C82BBB7549A0E092023-01-17 10:38:57.159 11241100x8000000000000000105089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.159{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\18A939C2764ADA023CD37C492D62BE9242E566F32023-01-17 10:38:57.159 11241100x8000000000000000105088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EBD03B11D95ABDE064456E196E3FC6D28EDCBC6D2023-01-17 10:38:57.158 11241100x8000000000000000105087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8800A505380EA59E2C0DE12EBCC09D00FD149A4C2023-01-17 10:38:57.158 11241100x8000000000000000105086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.157{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CDA388CAC366A983F683F2B31BBCBFC37E8436BE2023-01-17 10:38:57.157 11241100x8000000000000000105085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.157{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4E8EE7086D64832AF266C8A03B4E60C3F8B48FE92023-01-17 10:38:57.156 11241100x8000000000000000105084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.155{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9328CD236E5F492A5ED9DF812B2162CE3867BC1F2023-01-17 10:38:57.155 11241100x8000000000000000105083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.138{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4D86471A5BF852A46AD2A65F612A85550C0DCF0F2023-01-17 10:38:57.137 11241100x8000000000000000105082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.137{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D86CD7E5667FFAEACF2089C6E5BA89B5E01AEC152023-01-17 10:38:57.137 11241100x8000000000000000105081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.136{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BB99BB1182E4FC78957D325ACBEEA151174A06882023-01-17 10:38:57.136 11241100x8000000000000000105080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.136{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5FED1A9B09A37E81FDFE689FD715FA866CAD22902023-01-17 10:38:57.136 11241100x8000000000000000105079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.135{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\64336AADA86C420C08269F06DE7D0BD099E808E32023-01-17 10:38:57.135 11241100x8000000000000000105078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.135{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EB0F95EF4A42EEEE9F2FD3EFC40229AADFF949182023-01-17 10:38:57.134 11241100x8000000000000000105077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.134{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9B8B907CC12DA2405F4F5D8501B9847697DA7C8A2023-01-17 10:38:57.134 11241100x8000000000000000105076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.133{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\01B324FBE6C5C939857D76B1217BA5E8F0F395D62023-01-17 10:38:57.133 11241100x8000000000000000105075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.110{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C675AB7656A97C2AC867805F5A92AA810097CAAB2023-01-17 10:38:57.110 11241100x8000000000000000105074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.110{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\54B914E1EED1095A7FA4DBAF1A6949D34ABE7FF62023-01-17 10:38:57.109 11241100x8000000000000000105073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.109{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5D06658D33A527FA65BD6367C953C196161A57642023-01-17 10:38:57.109 11241100x8000000000000000105072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.109{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F57C4DDC560597FEE3C07B35B5FE761BCDB86C5D2023-01-17 10:38:57.108 11241100x8000000000000000105071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.108{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D137637385324C2E0FD9BB1815FF1CD220C80CD52023-01-17 10:38:57.108 11241100x8000000000000000105070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.107{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\78E11FF46E0A596B5AC1AD4DDFCDA03414428E1D2023-01-17 10:38:57.107 11241100x8000000000000000105069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.107{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C3A8C16A9C8BA2279829657300507724F66D5512023-01-17 10:38:57.107 11241100x8000000000000000105068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.106{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B08E4B000DB1B70D1A20CB46397FABBD3A4ADC602023-01-17 10:38:57.106 11241100x8000000000000000105067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.088{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8856DEA8B6B3F86805B30B23AE756078400790392023-01-17 10:38:57.088 11241100x8000000000000000105066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.088{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F6E91E200A8EB9F4408A4625B6862B1F3E270D292023-01-17 10:38:57.087 11241100x8000000000000000105065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.087{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE6B6422A8B4AE0C6B67C1ED4C6873819EE7DC3C2023-01-17 10:38:57.087 11241100x8000000000000000105064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.086{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E930EAA461CBA8D7A60235D7DCFF26F8725E792F2023-01-17 10:38:57.086 11241100x8000000000000000105063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.086{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BA0FE14DD445FDB45194FE590D33340BD92DD8AB2023-01-17 10:38:57.086 11241100x8000000000000000105062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.085{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C165BA0903D427F12C3221CDEC81B31D87FA7AC12023-01-17 10:38:57.085 11241100x8000000000000000105061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.084{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4375C007A6074B023B389853E1C3C0A9084B27CC2023-01-17 10:38:57.084 11241100x8000000000000000105060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.083{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\70725A6F0438318E2CC458492B12DA7D44175D202023-01-17 10:38:57.083 11241100x8000000000000000105059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.066{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4D2E9B0E266E63B14ADCB97FF79636F74E233A5A2023-01-17 10:38:57.066 11241100x8000000000000000105058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.066{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F7B26D756E3D5C982761D3C73DFC11A79C1910432023-01-17 10:38:57.066 11241100x8000000000000000105057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.065{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BC97A0D25C4F0636D4F857158C35413D162096602023-01-17 10:38:57.065 11241100x8000000000000000105056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.065{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F37B58AA30AE2CFC8E13E4A3AC556208DE25AED2023-01-17 10:38:57.064 11241100x8000000000000000105055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.064{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F6D41EC5FB1E5788DB8233C176B78583B4B4E5E2023-01-17 10:38:57.064 11241100x8000000000000000105054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.063{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DE7B697EC345D090998EE35F1C55C680B12B937C2023-01-17 10:38:57.063 11241100x8000000000000000105053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.063{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9830C421348B5D2353A39D5B76C961B9F352874F2023-01-17 10:38:57.062 11241100x8000000000000000105052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.061{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C3371EF1BAD7C1F4B56904001706BB07173328192023-01-17 10:38:57.061 11241100x8000000000000000105051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.044{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BC93E0AAF047011815292E20FC641BAD35D8AF352023-01-17 10:38:57.044 11241100x8000000000000000105050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.044{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CDEE146BC391F821842E258F1207FE22649AE8172023-01-17 10:38:57.043 11241100x8000000000000000105049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.043{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7C785EB7B61E9F1B8D10FDA750F20C11706335712023-01-17 10:38:57.043 11241100x8000000000000000105048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.042{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EB8AE6D47C27FAA69F6ED9BDE5696192628A9E712023-01-17 10:38:57.042 11241100x8000000000000000105047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.042{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EC5191C6497093AE3C0EE4D2C3318B005978D6F42023-01-17 10:38:57.041 11241100x8000000000000000105046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C1C3EA39BE3517EE7FD6D5923628AF68D46266AE2023-01-17 10:38:57.041 11241100x8000000000000000105045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.040{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2D79B4C8B42E88893C8539D3270EBD2132E3536D2023-01-17 10:38:57.040 11241100x8000000000000000105044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.039{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\030357127ACB3D34655C9A73B9201EBB8A183C9D2023-01-17 10:38:57.039 11241100x8000000000000000105043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.032{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.032{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DCAC00E5CDCCB3CF6428FE05439D81,SHA256=6586D15EDAA3A6E74D1C3B6A50D4EC7385F00A10A9A554924860AD18873B6282,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.021{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7ACF6351934894006F5D0364F3DA47095459A7052023-01-17 10:38:57.021 11241100x8000000000000000105040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.021{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B17FA2A72A9CD4FA08793500B5E7412934A29B932023-01-17 10:38:57.021 11241100x8000000000000000105039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.020{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2E8E74C8905197EB92D631AA0A88B951D5427EAF2023-01-17 10:38:57.020 11241100x8000000000000000105038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.019{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AB855FA157451E321BD98398C75270C61A4C33142023-01-17 10:38:57.019 11241100x8000000000000000105037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.019{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C50C0F240DB779ED1C0261E812A031C935CAF2FF2023-01-17 10:38:57.019 11241100x8000000000000000105036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.018{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3C1CD2483060930DB72B6AD28CBA0137C03F1FC62023-01-17 10:38:57.018 11241100x8000000000000000105035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.017{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2CE4F09DA15304C5F36D96476DDC25BE8BE332132023-01-17 10:38:57.017 11241100x8000000000000000105034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:57.017{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\02E1349A70FDD9BFC1F6F769C037E479D1E94AF92023-01-17 10:38:57.016 354300x800000000000000070964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:57.045{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50415-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:58.890{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C095860ABE696DF5439E4D57C71433B,SHA256=7931DF6981D1B6B1B6CCE57900B2E6790D45560E9AA73BE3CF2F2D06074F81A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\989D2B374BDB4760BDC80BA2A49708CD6EAF41382023-01-17 10:38:58.972 11241100x8000000000000000105746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.972{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8BA888542AF27032C62546EB55D92B987AEF21F92023-01-17 10:38:58.972 11241100x8000000000000000105745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.971{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\522116C9CCFBCBDBF673D2A77FE1AA098A4068982023-01-17 10:38:58.971 11241100x8000000000000000105744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.971{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5D122F77DEF2FF3B7ADBCFC0D69872386B34D8CC2023-01-17 10:38:58.971 11241100x8000000000000000105743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.970{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\602B4BF4F14EE220E2BFA4A962D6363C3113B79E2023-01-17 10:38:58.970 11241100x8000000000000000105742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.970{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B62DC4C0EE280283CE28580C5E52A93C10C63A2A2023-01-17 10:38:58.970 11241100x8000000000000000105741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.969{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9777281630184BE574C38075FD892407B5B14E472023-01-17 10:38:58.969 11241100x8000000000000000105740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.968{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F220966ED3E0ADC9A5F59805C3F03F8A561A043C2023-01-17 10:38:58.968 11241100x8000000000000000105739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F9E18377656AE12F7B8892DE02523AA2253F24F02023-01-17 10:38:58.945 11241100x8000000000000000105738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5642225820C0CCF0F2F12CD1701A9CE65211F8AE2023-01-17 10:38:58.945 11241100x8000000000000000105737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D7F5C751B3E99FE0E2AFA16E959D1D387D8BACBF2023-01-17 10:38:58.945 11241100x8000000000000000105736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\424FAB4372C141DC3F33B1EF9B6E8A249775A2B22023-01-17 10:38:58.945 11241100x8000000000000000105735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A5F709C8174C9572C177C89E661D782D0CC663E12023-01-17 10:38:58.945 11241100x8000000000000000105734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\44A54626D1A0942ED1E3D1DD9C58DE88384D2A9D2023-01-17 10:38:58.945 11241100x8000000000000000105733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\54543996835EBCFFD0359BBB873BF83446215E752023-01-17 10:38:58.945 11241100x8000000000000000105732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.945{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1A47AE5E675F1FE54BD526B5EB39ED757CB5846C2023-01-17 10:38:58.945 11241100x8000000000000000105731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C32B1B5E0638E87186E9449D5C96C14EBBD1E752023-01-17 10:38:58.927 11241100x8000000000000000105730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A03362D77E8B0AC1682CF3FA9E4491A94B9EA4DE2023-01-17 10:38:58.927 11241100x8000000000000000105729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\101B8215DD8D6BB1E4824AFD7BEF6154CA668A222023-01-17 10:38:58.927 11241100x8000000000000000105728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.927{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F977A326AA3BF0955F4AEB25DFFDB6804C508B652023-01-17 10:38:58.927 11241100x8000000000000000105727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\22FCB3D5CF160C213D96BB328D5B7A09F16AB6DB2023-01-17 10:38:58.918 11241100x8000000000000000105726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\14A8C8E0E51B3DD0427C99CDDBC448869C14192B2023-01-17 10:38:58.918 11241100x8000000000000000105725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FE48E7B736A4E8101AB95E093F8812F1337D49962023-01-17 10:38:58.918 11241100x8000000000000000105724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.918{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE5454BCCCF4374E5C14AF6F845905095052921C2023-01-17 10:38:58.918 11241100x8000000000000000105723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BA2522771BF0F9EBC86E15AB8851B36F20E181492023-01-17 10:38:58.900 11241100x8000000000000000105722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B1B563C91D04D8A58F483F1104C2129389D59D732023-01-17 10:38:58.900 11241100x8000000000000000105721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B7854B3559B3BB79730B3FB61B82673AD3E415172023-01-17 10:38:58.900 11241100x8000000000000000105720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\952744394062A28154FB0F48B7C7B6A96D60AC902023-01-17 10:38:58.900 11241100x8000000000000000105719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0F2EA9872346E7E539723EA9D5B3E1CB800B8FD72023-01-17 10:38:58.900 11241100x8000000000000000105718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9C239F42F32FB7F2AEC30E80EBF1DF4B65894CF72023-01-17 10:38:58.900 11241100x8000000000000000105717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4E77AE3B2FAF6CD593AD442D2FC1557043BB4B672023-01-17 10:38:58.900 11241100x8000000000000000105716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.900{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AC2E732815EC8A48A40B4BEB20B2F1C51BE6AF0F2023-01-17 10:38:58.900 11241100x8000000000000000105715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C80B753637F1F97AE17E5F318258AA5D14CBD2302023-01-17 10:38:58.882 11241100x8000000000000000105714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\31785C1D13B103F505F0412539783DDFAF9369942023-01-17 10:38:58.882 11241100x8000000000000000105713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\56D7FD5537B159057E05DABCBC82BE698830A1EB2023-01-17 10:38:58.882 11241100x8000000000000000105712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D295E360CF7D78E6CF35DFDFC564C3BC097734042023-01-17 10:38:58.882 11241100x8000000000000000105711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B85F5365A3AF754DCBCD21B5663BEC3ED96E65A62023-01-17 10:38:58.882 11241100x8000000000000000105710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E99A72641C7E9CFE15212832C2550C893015BDD82023-01-17 10:38:58.882 11241100x8000000000000000105709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.882{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\67EC652B334762FD74A60426088DFF3D36BE8D442023-01-17 10:38:58.881 11241100x8000000000000000105708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.881{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\85A7832C89EA1742475162CFB793F2CCF42656362023-01-17 10:38:58.872 11241100x8000000000000000105707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.864{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\23C9F1E093C1AAA49468832A09017AD469F92B462023-01-17 10:38:58.864 11241100x8000000000000000105706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.864{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DB69F371F44AB71537D6C1E9B9D7495EC2F6ABD42023-01-17 10:38:58.864 11241100x8000000000000000105705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.863{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6B707B51E1E5323B8FAAC12FBA9E6757F62771712023-01-17 10:38:58.854 11241100x8000000000000000105704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A946D03FFABA1EF9040D1C63235D5E443CEEC4852023-01-17 10:38:58.854 11241100x8000000000000000105703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F81DA3961744C0BA9DF72D2672A976ACE2E5FDE72023-01-17 10:38:58.854 11241100x8000000000000000105702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E7D445CD1232B6F96A254D122FA76812680F3A212023-01-17 10:38:58.854 11241100x8000000000000000105701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D09A67BF222F16A178A5EEEB252E7BF1699E96102023-01-17 10:38:58.854 11241100x8000000000000000105700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.854{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8FBDF2749B53DCAF4823A76CC1F11F19BED79C602023-01-17 10:38:58.854 11241100x8000000000000000105699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\67B139B7F9146A3EF538705A1C28A7C7421B8AC22023-01-17 10:38:58.836 11241100x8000000000000000105698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\01AC7085C6FA9BE831895894125CEE11241A06B82023-01-17 10:38:58.836 11241100x8000000000000000105697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E39E75D49D1C24DF70F3B6F64B7E37AD96941B3E2023-01-17 10:38:58.836 11241100x8000000000000000105696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F3C9B1B461E22EF576380B20225603538EE6C4E02023-01-17 10:38:58.836 11241100x8000000000000000105695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6C59507DB77AADDACF864ABAA315E2BD359EFCEE2023-01-17 10:38:58.836 11241100x8000000000000000105694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9527786EDC7F53745FFCC99DDDFA223E14D04E212023-01-17 10:38:58.836 11241100x8000000000000000105693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6130C32A20E08DDE727BEC34F12BB67A51C3637A2023-01-17 10:38:58.836 11241100x8000000000000000105692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.836{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\25B620FE2E83985F1C64BB2ADAE0C7FD794B2A912023-01-17 10:38:58.836 11241100x8000000000000000105691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.818{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F2DF82944346563244EFACB1668CCB48FDE9BB512023-01-17 10:38:58.818 11241100x8000000000000000105690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.818{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EC42B3CC326E7F7E10647DDC90C3B954BE234E4F2023-01-17 10:38:58.818 11241100x8000000000000000105689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.818{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BCF52BFF2BE1EED65504D9776A2F0468A0ED3AF32023-01-17 10:38:58.818 11241100x8000000000000000105688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.818{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0693EAA9CCDD10CCEF953D1B93ACD9234E38739A2023-01-17 10:38:58.809 11241100x8000000000000000105687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3A1CE76522B63BFDDDBDE0A854016175FFF4A2D82023-01-17 10:38:58.809 11241100x8000000000000000105686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\038AF74DFA379A26D41C078652150B1B8EFD5DE22023-01-17 10:38:58.809 11241100x8000000000000000105685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5FDB6F4BC0F9BA94192407666B08EF6B90658F242023-01-17 10:38:58.809 11241100x8000000000000000105684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.809{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BBFA37CA46AE220530F6FD09B0265C525390EAD82023-01-17 10:38:58.809 11241100x8000000000000000105683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\900D8AA238CB37A844DFFF9B8B4B819401CB2EF72023-01-17 10:38:58.791 11241100x8000000000000000105682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D3FE2FFD61B59AAF42B25153324470AEDE98DCA2023-01-17 10:38:58.791 11241100x8000000000000000105681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D02CD49BBA4184DF50CD10B6FCC19A72487F8D202023-01-17 10:38:58.791 11241100x8000000000000000105680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4A71166A6BD98E6FC14BC9DEDCBAE04DFCBF844A2023-01-17 10:38:58.791 11241100x8000000000000000105679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4652089C5B9D02D281225D036037614E7D24F5DA2023-01-17 10:38:58.791 11241100x8000000000000000105678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D5574120A3F0292ABB18FF86C8762920739948392023-01-17 10:38:58.791 11241100x8000000000000000105677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.791{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5D5EB31452B61224D14CCDD66CF1933BCE991F0D2023-01-17 10:38:58.791 11241100x8000000000000000105676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.782{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D2994B19A0AF71EF26D70B12F6B0E4E1668763572023-01-17 10:38:58.782 11241100x8000000000000000105675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.782{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.782{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59DDC433A0A937A8163446BDAF10AD0,SHA256=0C7F93B49EBA4AFBA1CB8F965445FB891E13B7948B7C8882986712B312412E78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.772{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\63E02C91BF15492BD7C08C5EB70B368D13CB5E4B2023-01-17 10:38:58.772 11241100x8000000000000000105672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.772{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D1B99C000B4F7677BFF6A89F8FFB576578690E812023-01-17 10:38:58.772 11241100x8000000000000000105671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.772{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0E1A51523F9A4F86FFE0DF39DBA2EF1FF61BC13E2023-01-17 10:38:58.772 11241100x8000000000000000105670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.772{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A51781416FA2C26C31C5E570B3C4565E4D6351542023-01-17 10:38:58.772 11241100x8000000000000000105669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.772{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4B7A138EC5BCED7E6E78EE723CA78745FA8C04732023-01-17 10:38:58.772 11241100x8000000000000000105668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.772{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C0E369F96DFFF1688000F57B389A3976D13EDC882023-01-17 10:38:58.772 11241100x8000000000000000105667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.770{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5F91D3A3446A7E50648A237A323AAE0587A5EB5F2023-01-17 10:38:58.770 11241100x8000000000000000105666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.769{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7C68F48E18C3F3E04830D2AAEF338F02F9ADD1072023-01-17 10:38:58.769 11241100x8000000000000000105665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\45C5BD1715F97E16F36CCB4E739C9903429E2BE22023-01-17 10:38:58.745 11241100x8000000000000000105664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\642EE33DB131BE7DB1788137591D24346C7F8ADF2023-01-17 10:38:58.745 11241100x8000000000000000105663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DC225F2C00C7EA96CD34E43C9F2BFE29E398DA552023-01-17 10:38:58.745 11241100x8000000000000000105662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A16CFF201EFA681B714F387D7D39C4113810E0662023-01-17 10:38:58.745 11241100x8000000000000000105661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DA607E30B6F0271FB66C2EBD01499A2FA42F68282023-01-17 10:38:58.745 11241100x8000000000000000105660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AF3B6832617D6B9F33C6130AE79C2C0C6399B83E2023-01-17 10:38:58.745 11241100x8000000000000000105659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1D514F536CCFD9518CF1EA4285F490298D4B8EDE2023-01-17 10:38:58.745 11241100x8000000000000000105658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.745{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4292C24C7F0694283AFCC85872F91E05B83179DB2023-01-17 10:38:58.745 11241100x8000000000000000105657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.727{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EBC7AA6979F46068AF965469F18EE16E6AFA72CF2023-01-17 10:38:58.727 11241100x8000000000000000105656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.727{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\42451081FCEE9167A8AF7418A156C81AA5074D642023-01-17 10:38:58.727 11241100x8000000000000000105655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.727{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\619F65515F7C68CB995DAD043DFC8BFB937ECA322023-01-17 10:38:58.727 11241100x8000000000000000105654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.727{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B5667D39DA50F28ACB408637C7C898B6DEF87F7A2023-01-17 10:38:58.727 11241100x8000000000000000105653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EE3ADE843B31F6EC5DDD3B99E44430BB8975A23E2023-01-17 10:38:58.718 11241100x8000000000000000105652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\183B438A3636BF460BE3DF23E02CE65E2610872E2023-01-17 10:38:58.718 11241100x8000000000000000105651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\44695AAECB5EB3AE386CEE24B363A723F6E123672023-01-17 10:38:58.718 11241100x8000000000000000105650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.718{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B7B083CD068AAB053B1E3232E9EAC15E59E051962023-01-17 10:38:58.718 11241100x8000000000000000105649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1EC8EB066CFF3E3C7D028193BC75B24D23C3CAA42023-01-17 10:38:58.700 11241100x8000000000000000105648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D41178014E06C9A5BB1B5698211DF5238CFAFAF2023-01-17 10:38:58.700 11241100x8000000000000000105647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F089DD942577F0E4E9524FA5D54A2F3D84D63AA2023-01-17 10:38:58.700 11241100x8000000000000000105646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7469DEC1D56B2B209557286526AC633349BFDAAF2023-01-17 10:38:58.700 11241100x8000000000000000105645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0091866340353D0575851D16AEB618E2AFA429C62023-01-17 10:38:58.700 11241100x8000000000000000105644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D2C153BF0F04F593B98587D8BF81822DDA8EFFE2023-01-17 10:38:58.700 11241100x8000000000000000105643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4A261099FF7C3F4FF21E4CE0F1D175ACDE4139D22023-01-17 10:38:58.700 11241100x8000000000000000105642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.700{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6542E9DE663E38E0E6B1F5E4AF14904828CAF0AD2023-01-17 10:38:58.700 11241100x8000000000000000105641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.682{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B16C138E8E2DB4E817E33AC2171F0EE0D930610C2023-01-17 10:38:58.682 11241100x8000000000000000105640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.682{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\707663308BCB1D82F0E472D8FE959B03A96195CE2023-01-17 10:38:58.682 11241100x8000000000000000105639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.682{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7DA493B46060A07164A7DD7FB4908829675D0B672023-01-17 10:38:58.682 11241100x8000000000000000105638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.682{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AD17CEA56B37994262CBDF8C05F04A6BD887B82C2023-01-17 10:38:58.681 11241100x8000000000000000105637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.681{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2C7A05BB52FBE8E729ED70A58C792C326CEDF1732023-01-17 10:38:58.681 11241100x8000000000000000105636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.681{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FE9333AA585DB4966753D9B5C2B218D1158D5D332023-01-17 10:38:58.672 11241100x8000000000000000105635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E74AE9FF3B3F1FF6CEED4DE4429472EABE2988F92023-01-17 10:38:58.672 11241100x8000000000000000105634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.672{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\072606D1FBDDACFE07BE2603C11F983432C58B6A2023-01-17 10:38:58.672 11241100x8000000000000000105633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.662{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\18C247ED2EEC60856B4F4435B077EC8240D335E72023-01-17 10:38:58.662 11241100x8000000000000000105632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.662{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6AF2831DFDE992D1453B7B81A44F5D307AC56E152023-01-17 10:38:58.661 11241100x8000000000000000105631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.661{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\984B77696DC5B17034E7CC57682BF3732DFACB1B2023-01-17 10:38:58.661 11241100x8000000000000000105630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.660{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FEAE2ED79EC6CEB1DA02F281CDCCA3B079B609BB2023-01-17 10:38:58.660 11241100x8000000000000000105629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.659{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9578F0FDAA2F95E25F45F1E3CB2676B9CF66AD0D2023-01-17 10:38:58.659 11241100x8000000000000000105628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\75CF43905ABEDDAF38FD8926F0C1F695681D1AE62023-01-17 10:38:58.658 11241100x8000000000000000105627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4FB5D1919D8F89BBF381114F8F2E56AA417359CA2023-01-17 10:38:58.658 11241100x8000000000000000105626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.658{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7CB088B5EEC2DB8E0468B0AEBCE5B45A4A8869FB2023-01-17 10:38:58.657 11241100x8000000000000000105625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\40328257F373FC856156C6F048BD53E8F6A556092023-01-17 10:38:58.630 11241100x8000000000000000105624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C705FBDAA7C074538A9F62CA68AE24D023F25A042023-01-17 10:38:58.630 11241100x8000000000000000105623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C014E64E40B7813032AACEEEE0299A4B2F846852023-01-17 10:38:58.630 11241100x8000000000000000105622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E3B8347FCFFC0FF7AEE0BEC3D8D14F2B28777D972023-01-17 10:38:58.630 11241100x8000000000000000105621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\144B85AB117C80F2FE8B813D3B3DE656A4A70CB62023-01-17 10:38:58.630 11241100x8000000000000000105620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8CD5F30713AB164C179B44B6DF12D039714A1B002023-01-17 10:38:58.630 11241100x8000000000000000105619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D332B5B357BC133468F66BF2882DA8E4AB6A79492023-01-17 10:38:58.630 11241100x8000000000000000105618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.630{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BDC49B60419D68CFB53B8384CB4F3002A00A877C2023-01-17 10:38:58.630 11241100x8000000000000000105617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.612{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8B6978E75235916CAF0C502F74A04ACB60F73ADA2023-01-17 10:38:58.612 11241100x8000000000000000105616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.612{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ACDACAE1289AF06ED79A1F9C9930C9A62FB22A932023-01-17 10:38:58.612 11241100x8000000000000000105615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.612{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\24E0C4BC4AEC0B88980C72765FBF284C6DF4A80A2023-01-17 10:38:58.612 11241100x8000000000000000105614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.612{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5527A2141434F3581A911643B93EF8DFE718F2302023-01-17 10:38:58.612 11241100x8000000000000000105613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.612{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\18CF3B64AEFD5526374EFF9C8E7556812A304A222023-01-17 10:38:58.612 11241100x8000000000000000105612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.603{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5EA5B54146CBF91075EA60A426342FAD70A8020F2023-01-17 10:38:58.603 11241100x8000000000000000105611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.603{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EFF5276BB5F9D53F5D1930683BDD75ACD166530C2023-01-17 10:38:58.603 11241100x8000000000000000105610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.603{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\52A58E83FE8C50876E1F8FB3CC514A9DF54FA5B42023-01-17 10:38:58.603 11241100x8000000000000000105609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.593{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\400E995CC1D325DF9DC4B8B475611B1136B62F3B2023-01-17 10:38:58.593 11241100x8000000000000000105608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.593{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\72A3319457717E64E142AA0C935D55C37CFE49CF2023-01-17 10:38:58.593 11241100x8000000000000000105607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.592{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\41A2B6D0FF32AD2792DE3344A0BC3ED55C8D73AE2023-01-17 10:38:58.592 11241100x8000000000000000105606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.592{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\98E665C0DD94AC6E0D0ECEC39D0356F1D868E7FF2023-01-17 10:38:58.591 11241100x8000000000000000105605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.591{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\18F4188B31D0E433BC58DA4189DB194EDD27B5B42023-01-17 10:38:58.591 11241100x8000000000000000105604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.591{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A411DF507FFFBE1A7B0169D42D7A57422B9843EE2023-01-17 10:38:58.590 11241100x8000000000000000105603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.589{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6DC509568EE13D6ECC5893DFA7F9D4C4254E58ED2023-01-17 10:38:58.589 11241100x8000000000000000105602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.589{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\411969358083341F7C7E42D928708921D8F0864F2023-01-17 10:38:58.589 11241100x8000000000000000105601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.573{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\95C20AF26DEBFA8B54CBE2B8397F9E1AD1621C102023-01-17 10:38:58.572 11241100x8000000000000000105600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.572{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2228D3EEAADDE91D47EF447CC9CEAE52FF003F692023-01-17 10:38:58.572 11241100x8000000000000000105599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.571{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F4A9A7C28440AD9ECE0D2C243BEC4E4AF6CA3BA12023-01-17 10:38:58.571 11241100x8000000000000000105598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.571{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5840CB34477F67946C4DB933BFF7EEC2A97EB1CE2023-01-17 10:38:58.570 11241100x8000000000000000105597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.570{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CE1FC81EF2B6A9049B38DD50A1C648B3DFD7956F2023-01-17 10:38:58.570 11241100x8000000000000000105596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.569{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\99D82A51421E690D05A9B2EFA30253046B8DD9082023-01-17 10:38:58.569 11241100x8000000000000000105595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.568{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\219BC391DDE433A74A1EA58B0A6FD34BBD6EA1272023-01-17 10:38:58.568 11241100x8000000000000000105594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.568{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6B070AEB9B56969DC93FA1C9410C560E39A327252023-01-17 10:38:58.567 11241100x8000000000000000105593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.551{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2A346EAE9650433CE49BBB60685DE753A924FD3C2023-01-17 10:38:58.550 11241100x8000000000000000105592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.550{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E72D7F8AB863418D07378CEAF1E130B74CE14C8F2023-01-17 10:38:58.550 11241100x8000000000000000105591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.549{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2269703B7EB78378CDBC7831C10902B6CE4600312023-01-17 10:38:58.549 11241100x8000000000000000105590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.549{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\89E8E0C5517BD55709FB8C512B3CE7809F4558D32023-01-17 10:38:58.549 11241100x8000000000000000105589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.548{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F50F8A025013FE77DBF4FBE3A21CA7C6815BC1C52023-01-17 10:38:58.548 11241100x8000000000000000105588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.548{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\62BBF391C67D46942A6C0D6581568D1DD89345422023-01-17 10:38:58.547 11241100x8000000000000000105587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.546{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\80150AAEC62A6B9D6861EE4D21382E516DAAD4402023-01-17 10:38:58.546 11241100x8000000000000000105586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.546{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\31138F96C7D7314D9241A7951EAAC0571223932B2023-01-17 10:38:58.546 11241100x8000000000000000105585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F015B9B434C84931FB26EC2D12EA8889BC636E0C2023-01-17 10:38:58.520 11241100x8000000000000000105584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B03D84064A4F54C22DFA6EB0FCEEA86A5B9692182023-01-17 10:38:58.520 11241100x8000000000000000105583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6102EA8103E16FD4035AC312596E27C8A7BDC7152023-01-17 10:38:58.520 11241100x8000000000000000105582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\89A72747485799A26E6A914E352E69A3154F82892023-01-17 10:38:58.520 11241100x8000000000000000105581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DB6BC18D4F02AEEC1E2CBCBA4FF73FA006FBE7D72023-01-17 10:38:58.520 11241100x8000000000000000105580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\69323BB8DD471F28C0A002D09C082D4F1C34CBD72023-01-17 10:38:58.520 11241100x8000000000000000105579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9B4BBA0F40E64F0C581B97A3CB932305E46208662023-01-17 10:38:58.520 11241100x8000000000000000105578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.520{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FE1374B8CD91A2F96F8552BE9ACF322E7D1B76282023-01-17 10:38:58.520 11241100x8000000000000000105577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.502{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\531F643F210DE6378007D1DE6DEC1BAB3258A69D2023-01-17 10:38:58.502 11241100x8000000000000000105576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.502{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FB04A2580FE4532A58CB2E523950DCB63A3B15AE2023-01-17 10:38:58.502 11241100x8000000000000000105575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.502{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DFE7D46E33535D0880934AF4F7F7E52EC572B8142023-01-17 10:38:58.502 11241100x8000000000000000105574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.502{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\64EC807BBB32DF55AA5B7900C683F78C2C94665D2023-01-17 10:38:58.502 11241100x8000000000000000105573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.502{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DFCC1CFBE1596037E2022C6835370307E40EC1312023-01-17 10:38:58.502 11241100x8000000000000000105572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.502{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\58DA1562006C9B8D9B6B9E62A68C4F5BDA8165102023-01-17 10:38:58.502 11241100x8000000000000000105571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.502{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6F4EBA3237D422535D3518339E67568EA040242C2023-01-17 10:38:58.502 11241100x8000000000000000105570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.493{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7F35076222E77E112EE33D271125CF0E432422422023-01-17 10:38:58.493 11241100x8000000000000000105569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.493{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.493{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34568E0774AE395B30DCF177D54A431E,SHA256=3A80ACFEAD6CC7A95C0E9106F6C35348508FA652273462DD88495575658F3762,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.483{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\73D6934E4031EA7DB0258676B0122F890D6385F52023-01-17 10:38:58.483 11241100x8000000000000000105566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.483{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\89D3CE435C583E21E4C3FA49AB799AF14FBC551A2023-01-17 10:38:58.483 11241100x8000000000000000105565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.474{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E1A0D0A0F998B4E8EB8BA59CFD46ED36D54945A22023-01-17 10:38:58.474 11241100x8000000000000000105564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.474{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0445177C5D2B9A5003ADF4662060409453BB06A72023-01-17 10:38:58.474 11241100x8000000000000000105563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.474{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B17BB2D15B773E42F1C3A15E9F62824C7DA919A02023-01-17 10:38:58.474 11241100x8000000000000000105562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.474{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DE929B9A5F2B6ED04AEB2CB9BBC022858ADE5DDC2023-01-17 10:38:58.474 11241100x8000000000000000105561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.474{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8754C897271D8030333DBDBAC4036555EFBECF532023-01-17 10:38:58.474 11241100x8000000000000000105560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.474{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3946D9881EC991DE243FD30A42D8B0E557C80D3B2023-01-17 10:38:58.474 11241100x8000000000000000105559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.459{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ACC62FB629981CDEF4501AB21528E12328CF2ACE2023-01-17 10:38:58.459 11241100x8000000000000000105558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.459{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\51FB07BC2499C4016EFC531B81567016E19A8FFD2023-01-17 10:38:58.459 11241100x8000000000000000105557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.458{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\96E4505D5F6E8688B3B2D6E25EE962E5E5B0CC9F2023-01-17 10:38:58.458 11241100x8000000000000000105556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.458{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8738F2D0A41DE366AABA2F95BE99D69B38EA7DF62023-01-17 10:38:58.457 11241100x8000000000000000105555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.457{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C9D2A6876E647F97F439272EBCFEDF6FA61271442023-01-17 10:38:58.457 11241100x8000000000000000105554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.456{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DA2363878DF01C3FF65ECBD9EDEF3DB2F05649DC2023-01-17 10:38:58.456 11241100x8000000000000000105553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.455{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A470F9D0E4FC25D5B75047CA094B15ACA83550B62023-01-17 10:38:58.455 11241100x8000000000000000105552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.454{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\41AACD5EC27B6931BBC76B4386D950803A387C002023-01-17 10:38:58.454 11241100x8000000000000000105551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.437{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8DB7407503D5EFDE00A0B2CAB745E601F9B37FF82023-01-17 10:38:58.436 11241100x8000000000000000105550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.436{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A4E166AAB87CDF8948DF7BBC70BD74C6DCF210CB2023-01-17 10:38:58.436 11241100x8000000000000000105549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.436{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\83E9301A9D30E6D38D8614E7F356FAEA5C5482532023-01-17 10:38:58.435 11241100x8000000000000000105548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.435{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\272469B5FA22EDE6B88625F5F61A359B19965B912023-01-17 10:38:58.435 11241100x8000000000000000105547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.434{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C03208177A789E4721330563C29A641771324F6F2023-01-17 10:38:58.434 11241100x8000000000000000105546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.433{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\99A91ED1D007C72BEA4F3A8380683C2E7ABD2E882023-01-17 10:38:58.433 11241100x8000000000000000105545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.433{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\55E678453350CC8E87BC0E9F96B6A5A493FDEE3D2023-01-17 10:38:58.432 11241100x8000000000000000105544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.432{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\63C24B0CF710886EE0B1CD4E0CEC7235FE470D0F2023-01-17 10:38:58.432 11241100x8000000000000000105543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.417{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.417{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E53382C1C27C1BCA59D65624ED0AA3,SHA256=11F83674A5C1D7C8ADCCF1E7F6F39F88BE297B828E545B7338523F4D012ED395,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.414{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\903C56187CBB22F5D9072DB1D67B855491965C442023-01-17 10:38:58.414 11241100x8000000000000000105540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.413{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\33419D34BD857A7A16E9382B2F800BBD95F2C4D42023-01-17 10:38:58.413 11241100x8000000000000000105539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.412{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F146D42BDAEE9FAB774F95087E579A7F000A1BD72023-01-17 10:38:58.412 11241100x8000000000000000105538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.412{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B243628E3BD868C40F94C176EA38548592A124622023-01-17 10:38:58.412 11241100x8000000000000000105537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.411{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EB8224F643707BACE4AFA9FE75BA4C8C07A707F02023-01-17 10:38:58.411 11241100x8000000000000000105536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.411{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7DE3DB53979146B3856D436B58847388CD1899522023-01-17 10:38:58.411 11241100x8000000000000000105535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.410{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\16B201F5E544D55437A53AFAAD20D9A4999F9BA32023-01-17 10:38:58.409 11241100x8000000000000000105534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.409{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\090F28CCB23E2D8CD1253786488DE552292379C02023-01-17 10:38:58.408 11241100x8000000000000000105533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.391{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0A0CE9BE451A126AE145A78A32C30BF9603E52E92023-01-17 10:38:58.391 11241100x8000000000000000105532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.391{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E27B6FA4512CDF9913334AA77FB1AD5703B1B6442023-01-17 10:38:58.391 11241100x8000000000000000105531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.390{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\07DF5AFEB26A5F791161BC912ADF1302E1C6D9C62023-01-17 10:38:58.390 11241100x8000000000000000105530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.389{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D4EB2F0920663AA3595F327C09487582B40039102023-01-17 10:38:58.389 11241100x8000000000000000105529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.389{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2FA66A346DECFDD93C4B4EBC124E7E8A910CB6942023-01-17 10:38:58.389 11241100x8000000000000000105528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.388{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F292A2B13AF2B283786A6B2FAB113C116E8CFCFD2023-01-17 10:38:58.388 11241100x8000000000000000105527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.387{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\83FE8E01A06BBC73803FCCDC1CA7F4E81ED12CD92023-01-17 10:38:58.387 11241100x8000000000000000105526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.386{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\23154C7A32718B62C1914817F861CE0C73F0F9AD2023-01-17 10:38:58.385 11241100x8000000000000000105525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.367{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D8A5C50DD331CBA908A21A69560F01F76B55620D2023-01-17 10:38:58.367 11241100x8000000000000000105524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.366{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7EDB4E3903AF75166FC543B1E6D967C07134F0CE2023-01-17 10:38:58.366 11241100x8000000000000000105523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.365{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FD25CDD62D7CBBE966718C43C94EABE79044A5E82023-01-17 10:38:58.365 11241100x8000000000000000105522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.365{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D18852FC418FE2FEB44A0732BD93944C84EF7AAF2023-01-17 10:38:58.364 11241100x8000000000000000105521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.364{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B4DFD2AD9E1989BFA9B332F4A091650357432D372023-01-17 10:38:58.364 11241100x8000000000000000105520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.363{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D230BC1593F145CD8BDF3302B07D7F5DA772786A2023-01-17 10:38:58.363 11241100x8000000000000000105519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.362{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E0949E2C2E4181A5561C2ED23519198F4FE65C2B2023-01-17 10:38:58.362 11241100x8000000000000000105518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.362{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EDE68555BD82A03EB1762CEF512C8495608E47382023-01-17 10:38:58.362 11241100x8000000000000000105517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.344{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\08BE2E4D31569A287D14FAD424AD5FC3E11AA9082023-01-17 10:38:58.344 11241100x8000000000000000105516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.343{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\731B7DF92AC3A63A8EC5AC032C7CDBE1778814F72023-01-17 10:38:58.343 11241100x8000000000000000105515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.343{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\014C98341EB1374763C7D4C2BC02A7FA5C93DF6A2023-01-17 10:38:58.343 11241100x8000000000000000105514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.342{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7313C091D0E989FC7E904668DEF74FF07D3366002023-01-17 10:38:58.342 11241100x8000000000000000105513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.341{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\65AB85DDB54A65C9B9A1FF0146DE217331175F702023-01-17 10:38:58.341 11241100x8000000000000000105512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.341{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\20C8782D3A4225085BC7CFAFC600CE81E194B0BD2023-01-17 10:38:58.341 11241100x8000000000000000105511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.340{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D8C7DAD5B97B74CDE5AC235EF7859FFA24443C632023-01-17 10:38:58.340 11241100x8000000000000000105510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.338{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\509AAC6706DB72CDA0A70776CD4402228FC753142023-01-17 10:38:58.338 11241100x8000000000000000105509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.321{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\037317A54AE8CBF6DAAEBB0D81C8D15F0A5C47492023-01-17 10:38:58.321 11241100x8000000000000000105508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.321{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FA69F88B9639477100356F80B52854E7CB5ABCAE2023-01-17 10:38:58.321 11241100x8000000000000000105507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.320{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\48799E7FEAD18B3A2F550C89A045B1FC57C4C50A2023-01-17 10:38:58.320 11241100x8000000000000000105506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.320{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\154A4A55EB412887C6E6385E1344A165CE6F2BF82023-01-17 10:38:58.319 11241100x8000000000000000105505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.319{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3EFCBDA2226B83F5AC1A8469331371EE4F468E232023-01-17 10:38:58.319 11241100x8000000000000000105504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.318{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\76CE62CDCF99C178D0A2706E196B1BD08A2DF8862023-01-17 10:38:58.318 11241100x8000000000000000105503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.318{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\87801B7103EE41C99953176959B46634AED2A9D32023-01-17 10:38:58.318 11241100x8000000000000000105502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.316{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AB7F4E33B70C2F18E1C352D70FEE136080DF71572023-01-17 10:38:58.316 11241100x8000000000000000105501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.295{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CD212A5E23FD82B227747F2079AEDC5547C2567F2023-01-17 10:38:58.295 11241100x8000000000000000105500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.294{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F0A31416BDE00AC027636538248596C666262FB82023-01-17 10:38:58.294 11241100x8000000000000000105499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.292{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\467B5F7CD433546FF0019FAF96F318655A103D262023-01-17 10:38:58.292 11241100x8000000000000000105498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.291{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F026053F2471384208F4944898B7A4E7F607EEB2023-01-17 10:38:58.291 11241100x8000000000000000105497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.291{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A0B357E531F52AED314A8B15232B17EE0C7073DE2023-01-17 10:38:58.290 11241100x8000000000000000105496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.290{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D9A157473935360E47CC84BA342E7133A3A2CEC12023-01-17 10:38:58.290 11241100x8000000000000000105495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.289{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0BB20CB4AAAA42A943D95DBAED3CE223118D3E9D2023-01-17 10:38:58.289 11241100x8000000000000000105494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.289{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1ED165776F0302BA82020243DE4567105C815CA42023-01-17 10:38:58.288 11241100x8000000000000000105493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.279{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.279{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0490BB29298A7A8A2997302B784EDD9C,SHA256=DB7B8C0CB9518E4F0AFEDCC0134330E9E7D86E1A6E98A58E7F1928B2BBB7DEE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.272{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9D9BD6D06E34E7ED39EA7B02D69BBF9BAF8D40782023-01-17 10:38:58.271 11241100x8000000000000000105490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.271{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C70DD7ADB561F13F36B66511F744DDA6E06B2102023-01-17 10:38:58.271 11241100x8000000000000000105489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.270{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\30058C24280522E195BFDDD30A4B1BB29CBFD23B2023-01-17 10:38:58.270 11241100x8000000000000000105488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.270{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\30AEF7ADB2BB352483A9434AFD1C917A245ED5C52023-01-17 10:38:58.270 11241100x8000000000000000105487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.269{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1D72CAEC2AEDFF9A4E72859D95A13528A5DAE4912023-01-17 10:38:58.269 11241100x8000000000000000105486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5FD97DB55C85031DFD1F00FD9FA7C9A597AC44FD2023-01-17 10:38:58.268 11241100x8000000000000000105485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.268{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2C5B8C561F3FC4D6EB6DBCB6D651BDF55A08F0CA2023-01-17 10:38:58.268 11241100x8000000000000000105484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.267{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\243431038E22F95D6E56185A6D699FE623616B202023-01-17 10:38:58.267 11241100x8000000000000000105483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\06C9375813E13DFB63CF477B6A50C8864EBC607B2023-01-17 10:38:58.250 11241100x8000000000000000105482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F4DDEC3E53CDA53568982F90524A988A919E74E72023-01-17 10:38:58.250 11241100x8000000000000000105481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.249{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A88C38095B08BA0A8391025B2F35FDE9D73CC2DE2023-01-17 10:38:58.249 11241100x8000000000000000105480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.249{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EF66CF273647F8D15BA8422C3C23C9E8158A3FAF2023-01-17 10:38:58.248 11241100x8000000000000000105479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.248{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\10C471C77A0B32FC916AD62E3FA6F4FA4DE5D8752023-01-17 10:38:58.247 11241100x8000000000000000105478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.247{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CEB6128BE21EB46691E7BBF8AE92FB01A59E39322023-01-17 10:38:58.247 11241100x8000000000000000105477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.246{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5158B68B7C2EAD93705CCE0D74C8101BF21E9AE52023-01-17 10:38:58.246 11241100x8000000000000000105476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.245{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\567EAA7F01498FDEC590F83EE7C6A6F262DD57932023-01-17 10:38:58.245 11241100x8000000000000000105475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.230{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\120AC5B208C70D538AA18775F93EF1E8DB8153A82023-01-17 10:38:58.230 11241100x8000000000000000105474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.230{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6F207524D6E268A8B6B90975582C6A78BA2E594A2023-01-17 10:38:58.230 11241100x8000000000000000105473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.229{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FD5B6C1FC6AE8E7A4D0C42ECCEA3D32C479D21EA2023-01-17 10:38:58.229 11241100x8000000000000000105472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.227{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CFC706181587AE1BACDF929089E4AE62AC610B912023-01-17 10:38:58.227 11241100x8000000000000000105471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.226{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DA75C1666741BD7BEB62DD724F72CB7D69D52EE72023-01-17 10:38:58.226 11241100x8000000000000000105470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.225{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\171A61D146C293716F37F82FCB1B38C0BBFB5DB62023-01-17 10:38:58.225 11241100x8000000000000000105469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.224{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7B99949411B0CCBF5291144D1FD3EDB97C7B4FF92023-01-17 10:38:58.224 11241100x8000000000000000105468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.224{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\18A837A88EDBA5E776B1319498EB1A8F68DD184F2023-01-17 10:38:58.223 11241100x8000000000000000105467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.206{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\67D6C2D877D186F8F1FA90FB23A544682AF706042023-01-17 10:38:58.206 11241100x8000000000000000105466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.205{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0AD7CC9157215F4F6029365D866C8BF25C4BF6622023-01-17 10:38:58.205 11241100x8000000000000000105465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.205{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BB3E167D23E23536F253FA0CE469B0A067B91E4B2023-01-17 10:38:58.205 11241100x8000000000000000105464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2A8B1DE98E69C22F82CA6B1A7102AEA6A943575D2023-01-17 10:38:58.204 11241100x8000000000000000105463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3ED6DF0212AE599D288B88472B8ACB04AB47F4EE2023-01-17 10:38:58.203 11241100x8000000000000000105462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.203{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A6FF0280092C5CB1277C62BB0526871A40276DE92023-01-17 10:38:58.203 11241100x8000000000000000105461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.202{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5B9D47C80BF8F00876DA39662F7F5C8E220DAB882023-01-17 10:38:58.202 11241100x8000000000000000105460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.201{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D2BECD69EC3D80C41CC0EBCA8A3D6AAF6B166C732023-01-17 10:38:58.201 11241100x8000000000000000105459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.183{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\62DCFC47A8E98C2AA2F060B4CD2E1F406252FE3A2023-01-17 10:38:58.183 11241100x8000000000000000105458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.183{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\63D8B0E9A943B297BADF930B9BED16D683764BD72023-01-17 10:38:58.182 11241100x8000000000000000105457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.182{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\948563090B65AD638FBB529F5AC0F13581FFC92E2023-01-17 10:38:58.182 11241100x8000000000000000105456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.181{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6A0A14C0AD9AAD7192413E2BF015D92182661F4E2023-01-17 10:38:58.181 11241100x8000000000000000105455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.181{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\471AB9601B9ED9541006BA4A2BE035B45963611E2023-01-17 10:38:58.181 11241100x8000000000000000105454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.180{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EFEDFEE2B22814D2C901703729ADBE62A63A53B12023-01-17 10:38:58.180 11241100x8000000000000000105453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7B897FFB29613F5FCB9AA35F52B5E3827AEAA3FA2023-01-17 10:38:58.179 11241100x8000000000000000105452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FECBE6F9340217890D13B0C830008E175A12E6B52023-01-17 10:38:58.178 11241100x8000000000000000105451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.163{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\07786DC2787F7EF7740B0571AB8AF2C52DE90C6B2023-01-17 10:38:58.163 11241100x8000000000000000105450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.162{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5846569AC5792097B11687655094F9C2170E430D2023-01-17 10:38:58.162 11241100x8000000000000000105449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.162{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\02121E6A972BB9CAD2367BFD71BC95107771A3992023-01-17 10:38:58.161 11241100x8000000000000000105448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.161{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FAA8DFF059DCE7BBD1AF87E41F0F62DF15A0DF3C2023-01-17 10:38:58.161 11241100x8000000000000000105447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.161{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7B314A3E7E3BDD0D21E18DB4ACA787F2F03B2FBC2023-01-17 10:38:58.161 11241100x8000000000000000105446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.160{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CAEE62B54C61F02D7F46F1287C7FD12BE86634102023-01-17 10:38:58.160 11241100x8000000000000000105445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.160{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FDB307B0C3E4AABE7CF6B2E11C868303DF54C2602023-01-17 10:38:58.158 11241100x8000000000000000105444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.157{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2045FDC783F6A5D3A09103527A89D75F58B4B2D92023-01-17 10:38:58.157 11241100x8000000000000000105443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.139{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\B40F9FCCB44EBD568A51B1DA883C0DEBFDC4BD792023-01-17 10:38:58.139 11241100x8000000000000000105442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.139{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FF58D4AFEB8EBAFDF73A49154B575E0EAE37E2BA2023-01-17 10:38:58.139 11241100x8000000000000000105441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.138{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D7B52D54E60897DC0AFDE6F985FE862B6FCBB35A2023-01-17 10:38:58.138 11241100x8000000000000000105440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.137{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\FAF69F064654CEB7535CECDF153EFC0574FDB1D72023-01-17 10:38:58.137 11241100x8000000000000000105439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.136{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9FD05DD1D3F8113D77D187FF73C45B3AD8DFA1DE2023-01-17 10:38:58.135 11241100x8000000000000000105438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.135{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6CC27660169917F35604A8A97FD4E92A726C27CC2023-01-17 10:38:58.134 11241100x8000000000000000105437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.132{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8C72CC1C19EA16A9B0299A8AEA611B3835ED31342023-01-17 10:38:58.131 11241100x8000000000000000105436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.131{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8F1467930E845BC56D80CFA93504D7A9B352D9E32023-01-17 10:38:58.130 11241100x8000000000000000105435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.113{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9BC92BA39C58EDD474C24BE51DBB13814BAF3B102023-01-17 10:38:58.113 11241100x8000000000000000105434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.113{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\86196343435D434D91D61D1AEDC74F823F3669472023-01-17 10:38:58.112 11241100x8000000000000000105433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.112{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\166BA44AA59A8D4BB91655166FE2889ACA9D825C2023-01-17 10:38:58.112 11241100x8000000000000000105432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.111{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\10CDDB3BC13E4E258037608949BBFED5DF74AB122023-01-17 10:38:58.111 11241100x8000000000000000105431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.109{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\12D8DE7DA0C62044BA348D9EC8EE14134E2639932023-01-17 10:38:58.109 11241100x8000000000000000105430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.108{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D9FC48204F6E8CD83448D05379A6E1116F733B8C2023-01-17 10:38:58.108 11241100x8000000000000000105429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.108{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C6924093FB1272F2F47FDE2FCEAA85934ED314C52023-01-17 10:38:58.108 11241100x8000000000000000105428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.107{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\69976F135183A5ED07E605110C11D585B421DD952023-01-17 10:38:58.106 11241100x8000000000000000105427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.089{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D878BD02E3185460A3B6641C65CD1444768F2B672023-01-17 10:38:58.088 11241100x8000000000000000105426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.088{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7D2D5FA77C8DAAED72AC846191F71F1C6B0E10B62023-01-17 10:38:58.088 11241100x8000000000000000105425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.088{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D8D94C6010EEB0F652CB8013F62F0554E0D4E0E82023-01-17 10:38:58.087 11241100x8000000000000000105424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.087{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3345773A432868A1A1141EFFA6AA912689CD5CAA2023-01-17 10:38:58.087 11241100x8000000000000000105423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.086{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0992EA81E0C8F8BEE5DBBF6107D66C12245944F42023-01-17 10:38:58.086 11241100x8000000000000000105422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.086{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\748F9E664DACDC1AB46FB73968F353C6AADB1BE72023-01-17 10:38:58.086 11241100x8000000000000000105421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.085{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\735C71EE45EDF964FBAAD62B8A0E6285917934462023-01-17 10:38:58.085 11241100x8000000000000000105420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.084{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\33DBE454E19EA48E44471C4E78EB5CC861C23EAC2023-01-17 10:38:58.084 11241100x8000000000000000105419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.068{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\27824A440631E3C2F731E627E5AEF21E33EDC9CE2023-01-17 10:38:58.068 11241100x8000000000000000105418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.065{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\09E1A0E31CE6339675EDAB64AC9A5BC445454B872023-01-17 10:38:58.065 11241100x8000000000000000105417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.064{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\25214AC7A33AD709A293B6504BE702AD5C7788382023-01-17 10:38:58.064 11241100x8000000000000000105416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.064{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\51EC7F71D58A95B8E4154FB8E8E6BC8CE06E06F62023-01-17 10:38:58.064 11241100x8000000000000000105415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.063{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4F65909949570475EAE745DCDA29ADE56D2BF1BD2023-01-17 10:38:58.063 11241100x8000000000000000105414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.062{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6EF583C0210D3282A2A6D8B2803640CFEB24ECBE2023-01-17 10:38:58.062 11241100x8000000000000000105413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.061{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\74E6A8A97D0AF97702A1E7AE492F6DCFC6F0E5482023-01-17 10:38:58.061 11241100x8000000000000000105412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.061{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A29EC6084D7EF46164661C876BFB525233EAB62C2023-01-17 10:38:58.060 11241100x8000000000000000105411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.046{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4A7CAD3E7E6DF30BEA7C97C600FD028AA98481D72023-01-17 10:38:58.046 11241100x8000000000000000105410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.045{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9BA280E2F4D0847D751CC1D1D701D318ED2646C32023-01-17 10:38:58.045 11241100x8000000000000000105409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.044{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CF4DE2B46FB4406F170FBA1433F465ABCD32B6A82023-01-17 10:38:58.044 11241100x8000000000000000105408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4AD5E00510800C5DCA9F3A60CEA26814DF24F2592023-01-17 10:38:58.041 11241100x8000000000000000105407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.041{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\64BAE0C154D1EA9F4D76631BA09D0AA415871C0E2023-01-17 10:38:58.040 11241100x8000000000000000105406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.040{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\10EFC68E3E0DBB24C85547B61DBC9E349CB753922023-01-17 10:38:58.040 11241100x8000000000000000105405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.039{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7F5C709B4D234CF20756F5DA6D54F95ADFF2423D2023-01-17 10:38:58.039 11241100x8000000000000000105404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.038{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C5A39D1D5BAB8A8059CB89BE2DD38B4E4EF7CA882023-01-17 10:38:58.038 11241100x8000000000000000105403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.021{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AA92311EBC1312944B0DA49357A858FE1CCBB0292023-01-17 10:38:58.020 11241100x8000000000000000105402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.020{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\73607977EEC55DFF8C38F3CB243B226A983090C52023-01-17 10:38:58.020 11241100x8000000000000000105401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.020{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C2CBE9FCFCE8BBBEEACD99AF0FB8C5A40AAD67A72023-01-17 10:38:58.019 11241100x8000000000000000105400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.019{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CC97072EC9A528D8AFDF9762E3CBA0DE71AAEF5E2023-01-17 10:38:58.019 11241100x8000000000000000105399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.018{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A08D0B4D3470CD71F356F9F943D7E54F80D62C1B2023-01-17 10:38:58.018 11241100x8000000000000000105398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.018{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D57618AB3A4A6E71E03EDEC5113C9BE86EF988D62023-01-17 10:38:58.018 11241100x8000000000000000105397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.017{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CA03C452A6B85F7C0073FEAB7EA2FD622EA181462023-01-17 10:38:58.017 11241100x8000000000000000105396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:58.016{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\490196D851914E82D0537A7FFB932E8171D806BA2023-01-17 10:38:58.016 23542300x800000000000000070966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:59.979{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4E339450E15DA7336E89D0E22B67BD,SHA256=985630EBB766EC586EC285A258615C177A1C2C391A75DB8374B51A4A783548D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.601{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.601{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA016A963371572750C03E2256E9B686,SHA256=9E5E9B2AC95151AADDA6588035266607FD0F0DEE4922C4C3F7F95D958CEB17CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.592{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.592{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC400D5804DD1130F0447DD1ACBF2DA4,SHA256=B9BF82B83DD628DD4B288E9226865FD12E239F1E258E9E5E6186C7824C85A653,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.428{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\security_state\data.safe.bin2023-01-17 10:38:54.704 23542300x8000000000000000105889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.428{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\security_state\data.safe.binMD5=C29C5E0D0336692B0038858743999240,SHA256=449EB2E9F25E45E854B8ABC2236D801080E4D2F174BA7BD4C24A1DBFCE1055B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:59.807{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.387{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C40EAD107DC8513C87E90A46C0489B30FDF93DE92023-01-17 10:38:59.386 11241100x8000000000000000105887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.385{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8CF9ED5DEFC041553F6554FF6BDF1B0300B6A47A2023-01-17 10:38:59.385 11241100x8000000000000000105886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.385{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0D0C623538D91B692ED976B2C095083D245A267C2023-01-17 10:38:59.385 11241100x8000000000000000105885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.369{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CE9E59B6C9175369AEB0E81BF18DBABF49F005B52023-01-17 10:38:59.369 11241100x8000000000000000105884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.368{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E3A7B4868559DAFABEF9E9115C78C20EA00742A62023-01-17 10:38:59.368 11241100x8000000000000000105883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.368{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\03FEDCE2C42EFBAAEBFE4273A89F795FB46971862023-01-17 10:38:59.367 11241100x8000000000000000105882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.367{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\91F253BA26C3741330065144D44DE81DDCCD7F852023-01-17 10:38:59.367 11241100x8000000000000000105881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.366{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E747D24FF18760F88B84DAB00D962AC264D2D9412023-01-17 10:38:59.366 11241100x8000000000000000105880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.366{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7C4D954C149B95AEA4CD835DDEEEDF5472A39C0F2023-01-17 10:38:59.365 11241100x8000000000000000105879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.365{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F7552E25010C924B4AE822711F755B739D258B662023-01-17 10:38:59.365 11241100x8000000000000000105878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.364{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\57B42CEC9A7D3475ED7F43475B495CB89BB3B0B02023-01-17 10:38:59.364 11241100x8000000000000000105877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.346{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9BC147769E25173D61100CC3F768598662554C722023-01-17 10:38:59.346 11241100x8000000000000000105876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.345{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BAF1D3616CB83CF335176E14ECB546BB12AF402F2023-01-17 10:38:59.345 11241100x8000000000000000105875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.345{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\536A4F6B38BD9B12C904EDD6B3147498D6EF427F2023-01-17 10:38:59.344 11241100x8000000000000000105874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.344{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A2F55E726A689FA2A2346AFE460CBF00D41D3A7F2023-01-17 10:38:59.344 11241100x8000000000000000105873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.343{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AA5D4701AB46FF8664D3E9F3A7277AA60E8B05112023-01-17 10:38:59.343 11241100x8000000000000000105872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.343{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F9C2BA30D8D57FEB7940FA2ACD4BF9AD2D3535C02023-01-17 10:38:59.343 11241100x8000000000000000105871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.342{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DB4E71F9295703BED695C682193B873EE2B42A512023-01-17 10:38:59.342 11241100x8000000000000000105870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.341{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\51079C4175CAF589DEA123D224241C3F909752BF2023-01-17 10:38:59.341 11241100x8000000000000000105869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.319{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\240374942E744AD48A9C2E99E26437B65EB473202023-01-17 10:38:59.319 11241100x8000000000000000105868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.318{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\77CBA1140DFDBE5DFA90406D8EB63604C4EFE23A2023-01-17 10:38:59.318 11241100x8000000000000000105867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.318{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\270C541FE0E8563F2AD606D644D8947188368ECA2023-01-17 10:38:59.318 11241100x8000000000000000105866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.317{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\66D3563D4B7F62C3C1C577B56A6258F3FB2A0D872023-01-17 10:38:59.317 11241100x8000000000000000105865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.317{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7E314C841CABBA9571CE1293406E65DCEEC23DA02023-01-17 10:38:59.316 11241100x8000000000000000105864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.316{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3658C1C6E2823C0C61E4AA2BEFCC9219436ACC8F2023-01-17 10:38:59.316 11241100x8000000000000000105863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.315{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E898B0F5381CEFD3C4FEEEC2575F40C31A7278452023-01-17 10:38:59.315 11241100x8000000000000000105862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.314{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\369E4AF6054B44B6935D95D527EBD5BC904B27C72023-01-17 10:38:59.314 11241100x8000000000000000105861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.297{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A66D38917D45D2D64EE6CAFD41BF74111E513B092023-01-17 10:38:59.297 11241100x8000000000000000105860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.296{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A68B2B01F4C5FD751C8FAAACCC3B1760676BB5A12023-01-17 10:38:59.296 11241100x8000000000000000105859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.296{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C0264B691584969434A45FFCD537AE4F12456FC32023-01-17 10:38:59.295 11241100x8000000000000000105858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.295{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1CE20BC524F631EF9F29FC347822BEAEF2B17F2E2023-01-17 10:38:59.295 11241100x8000000000000000105857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.294{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F0D133F501175066FF688820B437FE4C95C560B42023-01-17 10:38:59.294 11241100x8000000000000000105856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.294{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C99D97E51C87FCF4F2144AB3948633EB107B78792023-01-17 10:38:59.294 11241100x8000000000000000105855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.293{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C56A24699DE0A72358036F23A4176A5917D3D9312023-01-17 10:38:59.293 11241100x8000000000000000105854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.292{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\95155EE40748D9F1874DB12AB86FDAFF0F8AFB872023-01-17 10:38:59.292 11241100x8000000000000000105853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.274{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E19489B90BE603E18BEF5C8C27B141D2C8D5D5C52023-01-17 10:38:59.274 11241100x8000000000000000105852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.274{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F8F395444ABE3B6779FC4FE997DEBF82682F89D82023-01-17 10:38:59.274 11241100x8000000000000000105851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\DD14E09941EE44485218EF47640467FCF7B2026B2023-01-17 10:38:59.273 11241100x8000000000000000105850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\124BC5291CF9F193D7F824B415CD8BE3C644E8922023-01-17 10:38:59.273 11241100x8000000000000000105849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.273{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6913918215D8979988C0DE81A08D7E2D6DDD9B762023-01-17 10:38:59.272 11241100x8000000000000000105848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.272{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6D0817FE087EF2C554737F1C8A3DDDA192EB49A82023-01-17 10:38:59.272 11241100x8000000000000000105847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.272{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\81B1E764854DB77BE35303AE81DE5288D09E97662023-01-17 10:38:59.271 11241100x8000000000000000105846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.271{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\08B056B3CCB08A906711C0C1A64BC157A8E3AB192023-01-17 10:38:59.271 11241100x8000000000000000105845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AFB6DD044F7FE5184F886E65E1F1E220D89DABF22023-01-17 10:38:59.250 11241100x8000000000000000105844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.250{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\250771F509512CCC6F195A247C437E48E65F98E02023-01-17 10:38:59.250 11241100x8000000000000000105843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.249{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\582BC2CCCFB7DF0EBD97F8F9D7AF8DFEED12C8AA2023-01-17 10:38:59.249 11241100x8000000000000000105842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.249{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9925D86F2EC86D8CFB511CF7C24C2A94A5BD808F2023-01-17 10:38:59.249 11241100x8000000000000000105841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.248{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1E5A19F86BDC4B31E42B8A785FDCDB1C213837182023-01-17 10:38:59.248 11241100x8000000000000000105840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.248{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0F7A53BAC63A4ABD77C5F182FCAFEF2F2839D42C2023-01-17 10:38:59.248 11241100x8000000000000000105839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.247{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ED0A15DF543115C06F74E05239C30DC3B0E5A8922023-01-17 10:38:59.247 11241100x8000000000000000105838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.246{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\44BABB1946694D367E446FACA4B65F2DD34376B22023-01-17 10:38:59.246 11241100x8000000000000000105837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.229{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F1986A11C4642C9F2FE90A96626D9A2C2F4468942023-01-17 10:38:59.229 11241100x8000000000000000105836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.229{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D81B34FB3A5DC97F735A03A1BCAB5C6AA04C42412023-01-17 10:38:59.228 11241100x8000000000000000105835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.228{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\44D39115322EA28455998DFAED65E97D8E9EF8822023-01-17 10:38:59.228 11241100x8000000000000000105834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.227{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E8658B522705637B06BEC8C4DC422420E37AF63D2023-01-17 10:38:59.227 11241100x8000000000000000105833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.227{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\12DA8CB85C87BF188DDD66052363CC689A851CA72023-01-17 10:38:59.227 11241100x8000000000000000105832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.226{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C19C3F528A168C0C65CB44816A953A438EDEFE342023-01-17 10:38:59.226 11241100x8000000000000000105831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.226{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D88D1A47157823801EBE09BAB6EBAD8C4E8077E12023-01-17 10:38:59.225 11241100x8000000000000000105830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.224{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\9808424EC8912877C10195A0334D667742B3DD2E2023-01-17 10:38:59.224 11241100x8000000000000000105829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.206{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D8AA07150D60F7E9B7A51F7C5212F88C3680D6632023-01-17 10:38:59.206 11241100x8000000000000000105828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.206{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F88464507B7401468DF551B0EF645BF95CE647092023-01-17 10:38:59.205 11241100x8000000000000000105827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.205{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C14FC273658A9D71CAE6EE036B1BC65F404CE1C82023-01-17 10:38:59.205 11241100x8000000000000000105826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\07B860A413E2D1A1E27CCEA04921704FA8AF914B2023-01-17 10:38:59.204 11241100x8000000000000000105825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.204{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C7318B02BAA4D68FBDF0974970E59DDB7D166E782023-01-17 10:38:59.204 11241100x8000000000000000105824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.203{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D4527D8AC8F4A2CFEDA9933B44FE4ED0C0CD240B2023-01-17 10:38:59.203 11241100x8000000000000000105823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.203{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E955F8DD2742509E600B01698266D9C373F4D5D12023-01-17 10:38:59.202 11241100x8000000000000000105822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.201{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4D9DC6C282B471CD8104BDBD01496D4E57F1C3A22023-01-17 10:38:59.201 11241100x8000000000000000105821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.183{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\EBD37E5B16395CF290C72DEBA739C47B9534E7862023-01-17 10:38:59.183 11241100x8000000000000000105820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.183{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A31088A9237CDAA25734C1DC874E78E4613ED3862023-01-17 10:38:59.183 11241100x8000000000000000105819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.182{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BADC4E8AB64B5345EEDBD2F1D4197C3050E4DC302023-01-17 10:38:59.182 11241100x8000000000000000105818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.182{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\63741B202B3BF512C436A0D1BAF8AC7198CCEA172023-01-17 10:38:59.182 11241100x8000000000000000105817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.181{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3B7D300D1A41166DDAE5061461136B3BB47FCE842023-01-17 10:38:59.181 11241100x8000000000000000105816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.181{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D5BCB1FA0C152766336FA73D73AAAEC56BDE24C12023-01-17 10:38:59.180 11241100x8000000000000000105815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.180{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D73D2753F9733F232EB78D33C4988FBA7BB495692023-01-17 10:38:59.180 11241100x8000000000000000105814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.179{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4C7114ED0F947D300DA635358233F684D269C7F02023-01-17 10:38:59.179 11241100x8000000000000000105813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.163{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E750D16D2769CB4755B88EC529BD2888C865C75A2023-01-17 10:38:59.163 11241100x8000000000000000105812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.163{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3EA8C37DC404FC240C661074448692862F8642932023-01-17 10:38:59.162 11241100x8000000000000000105811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.162{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\677A29EC7D348B87A89C10E13AEDFC63D1AD6C942023-01-17 10:38:59.162 11241100x8000000000000000105810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.161{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BBE73EC9B5B2305E997576C8FB0F7F9546AAF4A32023-01-17 10:38:59.161 11241100x8000000000000000105809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.161{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\0E992B32663BF2A2CEB121174CD03B9AE1B00C1E2023-01-17 10:38:59.161 11241100x8000000000000000105808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.160{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CE3565364333A650A87D6837DCFC5D01B086719A2023-01-17 10:38:59.159 11241100x8000000000000000105807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.159{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\06068269418778D5CC57DB5110AA921D612878472023-01-17 10:38:59.159 11241100x8000000000000000105806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.158{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E37DA7171670D5D49622AF2E28598790CB22E4892023-01-17 10:38:59.158 11241100x8000000000000000105805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.139{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\62373BED09517DA86A21FC34F5B7AFE723702F132023-01-17 10:38:59.139 11241100x8000000000000000105804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.138{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A80B2505F9CA0E6A3984FDF81038ADE8B0A3B1A82023-01-17 10:38:59.138 11241100x8000000000000000105803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.138{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1439DFF804ED82579F84F72C2501C52A54EA20AF2023-01-17 10:38:59.138 11241100x8000000000000000105802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.137{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\6FB6CEAF95AD93B661F0B21122F5274ED988AF892023-01-17 10:38:59.137 11241100x8000000000000000105801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.137{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\50FBFC432CCADCEABD24A4698B58C67986A627322023-01-17 10:38:59.137 11241100x8000000000000000105800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.137{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\35E2BDF20A37E5B603198B3DD209F8CFCB5888242023-01-17 10:38:59.136 11241100x8000000000000000105799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.136{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CE785DA7D95FB42F853FA65062C02D4BE2EE9E812023-01-17 10:38:59.136 11241100x8000000000000000105798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.134{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BDD93F1BCE0E0A272B7D733BAC0B2B04D899D8D92023-01-17 10:38:59.133 11241100x8000000000000000105797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.117{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F3A633FEF9C813153EEEF121E0002277FCC5AD252023-01-17 10:38:59.117 11241100x8000000000000000105796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.116{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\4481C1CB9AB0E043F342A85F29EDE27495F9AEC72023-01-17 10:38:59.116 11241100x8000000000000000105795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.115{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5BDE05B7D2A2CF5F660AD880FC9795AF9D3B74102023-01-17 10:38:59.115 11241100x8000000000000000105794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.115{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\955938A9707480804B93CA055492DF8214E52A3D2023-01-17 10:38:59.115 11241100x8000000000000000105793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.114{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F169638AE3A2C43746ACCCE9DF55C7215A4E0B532023-01-17 10:38:59.114 11241100x8000000000000000105792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.113{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E4E69390EC3552360775EAA5E05E8ED844F4B4432023-01-17 10:38:59.113 11241100x8000000000000000105791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.113{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ECAB6503E7FBA98921DBA54806960693521DE1412023-01-17 10:38:59.113 11241100x8000000000000000105790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.112{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\AE206D43BC65BA4464522B97DB60E96711EA05432023-01-17 10:38:59.112 11241100x8000000000000000105789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.094{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CDD4FA9FA0C17487EE9BAD1E6E055C304DE023172023-01-17 10:38:59.094 11241100x8000000000000000105788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.093{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E8D61A0E0D66DF7C2D2D033F61730FDF627C3DA82023-01-17 10:38:59.093 11241100x8000000000000000105787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.093{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\256C4BA84215C2F1791D313409231146B1FFE7512023-01-17 10:38:59.092 11241100x8000000000000000105786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.092{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\D674415F6B7C478C7270ED9679E72CB0F007D9B52023-01-17 10:38:59.092 11241100x8000000000000000105785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.092{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\965DDC407B1ACE90EF55C1CF88EA24518E4F89B52023-01-17 10:38:59.091 11241100x8000000000000000105784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.091{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8D6C40F775C0FB683232D68EC6F9276C415B17112023-01-17 10:38:59.091 11241100x8000000000000000105783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.090{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2CEC0EAF0FC43CDD28F52C2DBC213DB32D14D5172023-01-17 10:38:59.090 11241100x8000000000000000105782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.089{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E796923B2B177E0E467C2A65CAB8D285C83986552023-01-17 10:38:59.089 11241100x8000000000000000105781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.072{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8E1F8EB5FA1AE6CCBF95228F572BD1600BFCADC62023-01-17 10:38:59.072 11241100x8000000000000000105780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.072{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BE38971746BB2B87DF540B808E1D5B7A1057F60A2023-01-17 10:38:59.072 11241100x8000000000000000105779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.071{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\A8CB215388C88FB14851CBBBDE112954D086FDC82023-01-17 10:38:59.071 11241100x8000000000000000105778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.071{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1B13192D01C3879399B9408EB71C43168D3771EF2023-01-17 10:38:59.070 11241100x8000000000000000105777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.070{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\C4476C305C85282BD89CC68D7D2F3C4B45499E012023-01-17 10:38:59.070 11241100x8000000000000000105776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.069{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\3734D54CA9403BF460164A7E40D5C4CDADF21BC42023-01-17 10:38:59.069 11241100x8000000000000000105775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.069{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.069{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFD5D5FA717BD8C182BE5BF1B7466F5,SHA256=DEFC03C95837E0BA879691FACE2B488A22D13114D16DC5FBF6740118EA02FB7A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.068{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F742E448FC82224E3F8AB73B0B253CD6C07E14E32023-01-17 10:38:59.068 11241100x8000000000000000105772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.067{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\67104C5358909517A397FFE0A606AA8D6678FBD82023-01-17 10:38:59.067 11241100x8000000000000000105771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.049{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\47643866DBECAA800DC6A3C9F55111E77CBA74662023-01-17 10:38:59.048 11241100x8000000000000000105770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.048{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\E03EF08FA5338C8AEFBEB50C382174F42277A4822023-01-17 10:38:59.048 11241100x8000000000000000105769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.048{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CEBD8B9330520EF6713FB5E1F43D24FD3B9665EF2023-01-17 10:38:59.047 11241100x8000000000000000105768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.047{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7967276460EDC54054A06A7A8364E24AF7CE39E62023-01-17 10:38:59.047 11241100x8000000000000000105767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.046{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\30ACE80F873D54F4A98C149F0189A6B40D0FDAB02023-01-17 10:38:59.046 11241100x8000000000000000105766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.046{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CA4FB76304FD7912D07CA36F8005D23460FD16E52023-01-17 10:38:59.045 11241100x8000000000000000105765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.045{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2EB12522567BA7A480C33039B4BDD5C7E54E9A922023-01-17 10:38:59.045 11241100x8000000000000000105764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.044{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8252257034FF4121D95587C8F31C2B413756F04D2023-01-17 10:38:59.044 11241100x8000000000000000105763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.026{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\43B1A04C2C7CE3F4ED16CF7155807039A880992F2023-01-17 10:38:59.026 11241100x8000000000000000105762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.025{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\462866653FB616D4D7EA0544E7611BAD28EE08CF2023-01-17 10:38:59.025 11241100x8000000000000000105761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.025{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7BECDB818EB2E0A34E58C7A7B6569F561A2C883F2023-01-17 10:38:59.025 11241100x8000000000000000105760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.024{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7258BD47C5A7D1C475B345D5CEABE3FD51B573552023-01-17 10:38:59.024 11241100x8000000000000000105759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.024{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1BCA1C347CF1397B586BDF7E85E7F05914573F5E2023-01-17 10:38:59.024 11241100x8000000000000000105758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.023{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\F75302C3C07ECEDDD760F57FD357EFA0FAFE331A2023-01-17 10:38:59.023 11241100x8000000000000000105757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.023{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\BC343DFC94C8B07EABD1112AC81C678EBBFBBA662023-01-17 10:38:59.022 11241100x8000000000000000105756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.021{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\5CE2E31BF64A43CCBBDB4E3EEDD203BF71F586202023-01-17 10:38:59.021 11241100x8000000000000000105755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.004{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\1B52F1881DA0891B85A1B50071B4EBF2039147882023-01-17 10:38:59.004 11241100x8000000000000000105754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.004{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\7832BC775A1C31E24441A92A4374452F52A9155F2023-01-17 10:38:59.003 11241100x8000000000000000105753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.003{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\36F22F316F533DF2210ACE99C97A91D0B81476392023-01-17 10:38:59.003 11241100x8000000000000000105752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.002{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\2FCF10CC6A2C50FCFD40C727C321B0027D547DD72023-01-17 10:38:59.002 11241100x8000000000000000105751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.002{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\258399C2B9CFA3921027A1F04941F666791343F62023-01-17 10:38:59.002 11241100x8000000000000000105750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.001{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\CDB3C9FF5336B33EF71B4AE84D348C34AC2EF8592023-01-17 10:38:59.001 11241100x8000000000000000105749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.000{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\ED65DB040F0BB8D6221AD9970A87B3E8916B4DA02023-01-17 10:38:59.000 11241100x8000000000000000105748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.000{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cuj52sse.default-release\cache2\entries\8A872CA9D9D21E71D762437A95D67BD71D99F3E32023-01-17 10:38:58.999 23542300x800000000000000070967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:00.440{F6EEFE7F-6CEF-63C6-1100-00000000B102}960NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E52A99D89D5DD30876186071E757CBB6,SHA256=EE1F663A54750346E8BBFD2AA2FDC063BDD7D39DB92F338A50C57745CE68A0E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:00.528{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:00.528{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE71D934DB48001A1E0C2B30F627494,SHA256=DCEA8794C67851E15782B3B6481AC6237032B76F5E7A0785D3527C960C3992E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:38:59.794{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50416-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000070968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:01.284{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE2281B475901BDEF38A12DF455F27F,SHA256=239E0CA8BD87F965C3AAD110076DAEE0AD9F0ED0A994E873EC31C93A456AFCF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:38:59.354{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64616-false10.0.1.12-8000- 11241100x8000000000000000105898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:01.593{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:01.593{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43FDCBE3A4FF780AA25012045E7EC35,SHA256=C62193CB260E9A073CC7A8A2EE0EE0D223A6A664FFA95F1FA52780EEB097E8B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:02.377{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4531F9E06D4E13936F6AAA52966AAE2,SHA256=D62041FA5F271AEE283163A0300B371B726D2C8ACC84CE615474BD4B06AED07F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:02.652{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:02.652{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0B74CF45157B6A74AFE967CA3E33A6,SHA256=EA416CC4795D500376300A2A3AC709C7A9A1B0FD1C22B37346AA7288C12927BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:03.815{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:03.815{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643710E80DBBF93C795462A8F66EE3FD,SHA256=2E16853DD37BCF494AF237672C6D25E866DBE08F5B67B6AA86830E7726788A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:03.465{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967E5A604E3AB07674A22CB2F0A8A35B,SHA256=366E054248A764B610F51E7199F6284A2882B1F9CBA1CDD75B2719393980E88A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:04.872{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:04.872{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4F8340D6CB7ED1F30BF415084C00CC,SHA256=9B294C6AFABE69DDF712DE0AF45391C3D9E9A26AE23C569E6027797608877714,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:03.081{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50417-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000070972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:04.562{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A3B23F380EF2689BD1B4D6AFDC6B96,SHA256=EAA6DB917317CD24578A3CA257245C9E9E7DFF1AD60FF343243F4EC6E3B4B87E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:05.917{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:05.917{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E99E9B1C425C8821C7222ADC09D3C49,SHA256=CFD4181B3548AA980DFD9F1911ADCE345616D3A018012DB010791658B9FA573A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:05.668{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057E8C90A36E8D6ED131E322671AACB7,SHA256=F289578D2DC1D3CCAC331B7177833F5F004D43BB3D089C6B35D33739329DE13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:06.746{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A856134ECF1E0FE2362114D2BEF3F0,SHA256=5B16C3A6A9FA9ABCED3405E12D598AA16190A37F4508E482CC93B7E87E370122,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:06.980{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:06.980{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654FA44FC9753AA5E80E43A0B24C5351,SHA256=8C2986680F32B9D09B3CC9F06352E36529442A6922622EE7F0C6A8F6736FAAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:06.835{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:06.835{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:07.840{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AAEFA125FC51B97236AE8ED8266D6C,SHA256=912D365FE68C988AA672087E6891D5A78E5A5A9D6E79F360D4D4861318B99443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:07.996{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:07.994{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 354300x8000000000000000105912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:05.297{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64617-false10.0.1.12-8000- 23542300x800000000000000070977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:08.924{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8A395710B74478511C4B97CE6C027A,SHA256=B1A6E8366FE01FA64201B6CD5BFC5BB75FC85FB86B1176B2AB4C86A73A59F178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.185{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.182{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.178{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.177{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.175{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.170{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.166{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.164{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.162{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.158{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.147{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.143{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.137{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.129{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.121{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.082{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.063{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.057{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.048{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000105917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.048{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.047{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB54379B706983F6049804DA9C4C519,SHA256=5A80BFFFF90B7BB94504F9941D9BCFC82557927462DCB8BAB4EC163B08449FC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:08.041{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000105938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:09.109{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:09.109{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CEDDDA4B4B1D96B882BB1CF4CBF837,SHA256=EF6EB2372BBCFE8DD898DAF19B356C1AA8AE9DB8835273CCF428726F0B80DDC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.628{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.627{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.227{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.224{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.217{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.201{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000105940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.175{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.175{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A168C305C62BF1544E70978B6848D5F,SHA256=9508D4A0B004C77DC31630FF88560ACDEF7DF88BE9EAF47B021BD83D98D7A59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000070978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:10.014{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822C2F7D1C65797AC21487C7D4B8B27B,SHA256=D2DF4B2E3F86D25E08CF7A8A60F1CE761D020C18150686A932B6BC2FB2FD06B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.655{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=0E51D82C2F290649901AE261F0E2F28C,SHA256=CB87DAA50D87D7FF928B540F483C1B8F66C217C194793F9F26A700D511296D26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.326{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.325{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.322{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.320{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.318{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.316{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.313{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.311{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.307{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.304{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.301{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.298{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.296{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.293{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.291{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.288{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.285{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.283{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.281{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.273{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.272{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.245{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.244{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.243{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.243{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.241{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.224{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.212{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.210{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000105960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.202{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.202{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7359B2C984AAF51D4D7304547F0DA854,SHA256=496262399CB74C0DD73AC724FAC7188154D7A40F4A47BAF21810525B553302B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.176{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x800000000000000070980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:11.207{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13D4A949C3F8638C9ECC534B69BD657,SHA256=8AD7210F85F800D5BE49BF825C48743F57C3F0010DC4FC3EE94DB0ADD61F67A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000070979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:09.036{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50418-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000105957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.168{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.155{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.150{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.147{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.144{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.142{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.139{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.137{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.136{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.133{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000105947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:11.132{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 354300x8000000000000000105993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:10.359{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64618-false10.0.1.12-8000- 11241100x8000000000000000105992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:12.730{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:12.730{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4CFD4DFCA1E06F7618F18BA1258261,SHA256=471B99E0C9A479B347D55D11A0FC05EA84718F52C956CBA73DFC9A0D199BD183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000070994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7AD0-63C6-7C02-00000000B102}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEE-63C6-0500-00000000B102}4041228C:\Windows\system32\csrss.exe{F6EEFE7F-7AD0-63C6-7C02-00000000B102}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000070983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.327{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7AD0-63C6-7C02-00000000B102}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000070982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.329{F6EEFE7F-7AD0-63C6-7C02-00000000B102}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000070981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:12.183{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C693A69A1D31CD7B60EE17A8EC22CE3,SHA256=73D3272EF12799EA65370DFEE8BB99CBEFE68ADC9A3C04C28C58969FAB5C38F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:13.749{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:13.749{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5E583E50FC8F3ED902FE1CF52348E3,SHA256=5E799E67D5004367E18D0D8136BEBB6B47E2259C6407F8C29A7F7EFFA6AD7E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.910{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E6E8B70E48E1A18ECC58E6108D1B1C85,SHA256=DA5A3F40007607BC93DF63D512220037D25C7A9F0C75188F24C649DC21D96242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.488{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD7A6B7486BF9772E36FCBEC46D90CB,SHA256=2707E0D0C41250144383E650F2175F96A4718B129A3661118582CC046C84476D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.431{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.422{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.390{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.380{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 23542300x800000000000000071030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.361{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E86C80000F7E7307B6F0EDE6C87908BF,SHA256=079C4031F1B814E5936B6A3BFA0EF4CC34527F3480554973C2C81D44327E60C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.361{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F6A6FBA8C2A73D50E0E3BFDC976626C2,SHA256=9E9B5DAB3A35E1C298D4761C24044E1252D22A4BCCB35C617D3D8FA4EE640118,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.358{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.351{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.337{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.332{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.330{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.323{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.318{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.308{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.303{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.298{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.296{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.295{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.293{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.291{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.282{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.279{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.277{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.255{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.239{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.223{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.213{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.178{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.165{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.156{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.140{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.134{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000071000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.129{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.123{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.115{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.108{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.101{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 10341000x800000000000000070995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:13.099{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A5D6190) 11241100x8000000000000000105997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:14.823{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:14.823{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAFF26A5B373BE6A5C34A9946480989,SHA256=CCC66026C20DE0FAD55523A6E83616907F93BA23C1CDE82D575C78AF27F1E0A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7AD2-63C6-7E02-00000000B102}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7AD2-63C6-7E02-00000000B102}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.920{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7AD2-63C6-7E02-00000000B102}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.921{F6EEFE7F-7AD2-63C6-7E02-00000000B102}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.701{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00540BF161A4129C6923E72CC4582A5,SHA256=9015BCDBEFB04329A97D361FDD199F0F309D01F2C71C432CD855B53BEC726B21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.335{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.330{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.329{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.329{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.329{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.252{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:14.253{F6EEFE7F-7AD2-63C6-7D02-00000000B102}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:15.905{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000105998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:15.905{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B847947793890F77DB2DC334E38D03AD,SHA256=18BD3C90B65440BCF4E3AEDE4290576557D5A82C6D93A2A537795C5BA0FA5CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:15.435{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B690B1842D49AADB4301C2BA23488B49,SHA256=9C95F94E764A7DCCFF9E35871F8222EA6E547BEA42BE16513D1F0759575BBFEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:15.154{F6EEFE7F-7AD2-63C6-7E02-00000000B102}14524416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000106001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:16.981{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:16.981{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700A59E2EE49AB09D9197FCC315836DB,SHA256=B87DABCA6316A0AC049D12A6C25F57F4BF5147243C849A6D5C531C05C8C7E447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.519{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF52A91A7E3334556320F738A5607C5B,SHA256=7D38222C429DCDFD38639DFFE01EF413C8D9977A892F11F086CEFC1933DC97A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.488{F6EEFE7F-7AD4-63C6-7F02-00000000B102}41925288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7AD4-63C6-7F02-00000000B102}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7AD4-63C6-7F02-00000000B102}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.269{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7AD4-63C6-7F02-00000000B102}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:16.270{F6EEFE7F-7AD4-63C6-7F02-00000000B102}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.889{F6EEFE7F-7AD5-63C6-8102-00000000B102}57325048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7AD5-63C6-8102-00000000B102}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7AD5-63C6-8102-00000000B102}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.718{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7AD5-63C6-8102-00000000B102}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.720{F6EEFE7F-7AD5-63C6-8102-00000000B102}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.608{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF758D61A7FDBFA6245C28B131FE5C8,SHA256=1AB92D6E561D732C2D04C9D27C3154D709046B4299ADEBF64313C6F4F8A4838E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.391{F6EEFE7F-7AD5-63C6-8002-00000000B102}3820944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000071100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:15.079{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50419-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000071099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7AD5-63C6-8002-00000000B102}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEE-63C6-0500-00000000B102}404420C:\Windows\system32\csrss.exe{F6EEFE7F-7AD5-63C6-8002-00000000B102}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.197{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7AD5-63C6-8002-00000000B102}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:17.198{F6EEFE7F-7AD5-63C6-8002-00000000B102}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:18.789{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD1B784B454831C5B0EA853C68AA5F3,SHA256=F16E1846A8C99F512B6481B3F8B38E224335EEC8E6BB054BE9CE0C21A0DBBC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:18.774{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE45A2B3CAEE5EDD442ACB789497DD97,SHA256=839BA7175A4E8BFECF66E04D62A33422A433218ECAD95FEEDE9713AAB23D4B77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:16.360{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64619-false10.0.1.12-8000- 11241100x8000000000000000106004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:18.182{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-17 10:39:18.182 11241100x8000000000000000106003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:18.026{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:18.026{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C968D1AE5C995046BAB1B71F47249E3,SHA256=D0DF257831B4C80CE5121B67B7631B2B30D49F649846581EA127CC96B8368C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.871{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8FA89B1EA5266BEE2913705B88E1626,SHA256=0FC66D86C00EE98E09085B0BFD4129637F86A0003D3BA5C373DEEF539C2CA756,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.984{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.983{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.983{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.982{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.980{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.980{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.979{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.979{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.979{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.970{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000106019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000106014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.961{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000106007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.082{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:19.081{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EB6E20E2AEF52C6253851E423F064E,SHA256=017F3C042A35463E27057C472DC056867EF513A9C482383A4C54E9A6387FE860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.534{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD7-63C6-8202-00000000B102}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.533{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD7-63C6-8202-00000000B102}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.533{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245596C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7AD7-63C6-8202-00000000B102}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012980190) 10341000x800000000000000071131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CF1-63C6-2B00-00000000B102}28402860C:\Windows\system32\conhost.exe{F6EEFE7F-7AD7-63C6-8202-00000000B102}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0C00-00000000B102}71696C:\Windows\system32\svchost.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEE-63C6-0500-00000000B102}404520C:\Windows\system32\csrss.exe{F6EEFE7F-7AD7-63C6-8202-00000000B102}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000071120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.504{F6EEFE7F-6CEF-63C6-2100-00000000B102}11043228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6EEFE7F-7AD7-63C6-8202-00000000B102}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000071119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:19.505{F6EEFE7F-7AD7-63C6-8202-00000000B102}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6EEFE7F-6CEE-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000106113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.837{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.837{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.837{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000106110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.725{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-16 13:16:43.159 23542300x8000000000000000106109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.725{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=58CBFDF2CBAF9CC76CB6DF75596FC641,SHA256=1E38ACFC15E888C0FE52E19E2224823EAF7D09A16E0B188475006D228179A31C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.653{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.653{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.652{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.651{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.650{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.649{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.649{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.648{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.642{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.642{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.641{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.635{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.635{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.635{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.635{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.634{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.634{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.634{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.634{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.634{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.633{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.633{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.633{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.633{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.633{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.632{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.631{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.631{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.631{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.631{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.631{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.631{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.631{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.630{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000106074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.630{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.630{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000106072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.629{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.628{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.628{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.628{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000106068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.627{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.627{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000106066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.627{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.627{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.627{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.626{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.626{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.626{F172AD64-7AD8-63C6-E402-00000000B002}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000106060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.161{F172AD64-7AD7-63C6-E302-00000000B002}69764212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.161{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.161{F172AD64-7AD7-63C6-E302-00000000B002}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000106057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.153{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.153{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2EE8E03FBE044E8D27D3F616F454F3,SHA256=EE7BC538A7F859739B244E5EF2B9D5B6B2CCE5141824BF80A5CE0C64904D746A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:21.067{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5774C9CBD93D53CD9ABFA16BF8ADA4B9,SHA256=ECCDDFAD49963DD2D525B76BE1A0A53787116F1135581D60173008F024BD6A51,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.920{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.911{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.911{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000106170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.745{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.744{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.744{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.743{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.741{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.741{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.740{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.739{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.733{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000106161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.732{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.732{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.732{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.731{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.731{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.731{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.731{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.730{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.730{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.730{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.730{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.730{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.729{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000106139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.728{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.728{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000106137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.728{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000106136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.728{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.728{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000106134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.727{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.727{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.727{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.726{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000106130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.726{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.725{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.725{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.724{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.724{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000106125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.724{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.724{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.724{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.723{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.723{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.723{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.723{F172AD64-7AD9-63C6-E502-00000000B002}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.581{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A77997B799B607E135C4115842FA9F3D,SHA256=21AAB1E06C57BEB44D44F1BB1FC369963B65A4EFCC51CE26719A7D3930609C5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.286{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.285{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4488AB3D9C7F298FE8D96EA7E272B26,SHA256=FC4854FC12C50B73B0A886E5B72B4F7DB05DCE2A76A371761CE9578F1CF1C9ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.083{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000106114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:21.082{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=703B411D1847FFDD9A73C37809830838,SHA256=29627740D77ADCB2CF3056B427332CE316A634CCCC19F5E5B4A30235A60BD142,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:22.835{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:22.835{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F145CFEE508A1152FE7231CB8F12B86D,SHA256=B0755A9C6486AD10979CAFD49577B174D869B920984226A147FDF79568605E91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.790{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64620-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x8000000000000000106174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:20.790{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local64620-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x800000000000000071138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:21.086{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50420-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000071137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:22.366{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7183535935D698262D2184C0E17FB07,SHA256=2CC0F2FF090A963ADED6F113297D3C74EE9C0B9B959EBFBCD29D23FFA7416ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:23.448{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7E6E10AE8DCDB88DA0D69C44E1C489,SHA256=6BFBE92F563F2E6CF6C9142195082D8E69B13999D44A1DB774AEF93A9EEF23B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:23.889{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:23.889{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A63F32DD8664BDE1B173DDB522BE248,SHA256=154EB0110BB55844296596F2589E3B651286F921FE965D8E02B84E0FC5397E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:24.524{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930A86C19078AD179AFC6FE2CFEBE135,SHA256=F2CBFC8CACE24325FE2CA4762913C129498561D8584B326E5B7D6C8D37751193,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.996{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.996{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87E41122B8DA1830FDE62010AF705E1,SHA256=7416832F0936851ACE464FB5282089758B072C1A158E4601965E3DCBEC7075C7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.921{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.921{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.921{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.921{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.919{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.918{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.918{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.916{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.908{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.907{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.906{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.905{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.903{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.903{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.903{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.902{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.902{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.902{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.902{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.901{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 11241100x8000000000000000106261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.901{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 734700x8000000000000000106260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.901{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.901{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.901{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.901{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 23542300x8000000000000000106256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.900{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086C9921E702D84DB70E4B6D43576906,SHA256=66F765B2E1C54DC73EFEB5829AD8DC72A61321D60DA31F2A4EEC841757402AFE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.900{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.900{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.900{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.900{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.900{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.899{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.899{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.899{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.899{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.899{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.899{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000106244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.898{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.897{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.897{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.896{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.896{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000106239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.896{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.896{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.896{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.895{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.895{F172AD64-6CE6-63C6-0500-00000000B002}408524C:\Windows\system32\csrss.exe{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.895{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.894{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000106232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:22.263{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64621-false10.0.1.12-8000- 734700x8000000000000000106231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.523{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000106230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.523{F172AD64-7ADC-63C6-E602-00000000B002}70648160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.513{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.512{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000106227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.285{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.284{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.284{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.282{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.280{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.280{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.279{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.279{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.262{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.246{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.246{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.246{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000106197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.246{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.246{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.246{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.246{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000106191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000106186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-6CE6-63C6-0500-00000000B002}408376C:\Windows\system32\csrss.exe{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.230{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:24.231{F172AD64-7ADC-63C6-E602-00000000B002}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:25.623{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EACF64090F269CA9E76106412B52BA1D,SHA256=13C55692CBF3A5415B596639249FC8BDD790BD57910E3EB4F4A2D4632277D7F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.915{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.915{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62784A03F652CF1DC2F3FE16505730E7,SHA256=25CC87828084F425820EFF0A9F67E733D2B2A1AD1DBBD050D9E424ED53222068,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.811{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000106337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.811{F172AD64-7ADD-63C6-E802-00000000B002}76684756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.811{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.796{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000106334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.595{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.595{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.595{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.595{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.595{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.595{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.595{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.595{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000106299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000106294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.579{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.580{F172AD64-7ADD-63C6-E802-00000000B002}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000106287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.111{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000106286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.111{F172AD64-7ADC-63C6-E702-00000000B002}38288140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.111{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:25.111{F172AD64-7ADC-63C6-E702-00000000B002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:26.724{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BC5BB3E660E301689194EAC9929BB2,SHA256=0B8DEE1B4EF08353D21810DA6D01211FD154CB6AE18DE378FEFE31DBE11AC710,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.654{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000106394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.654{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D173D3F37957DB9DD93E84CC85A4E107,SHA256=4CD917B15C24FC5365C20D7ECFDE3DC945195C9F0D8DF0449756540E056B6B58,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.596{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.596{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.596{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000106390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.5648 (rs1_release.230105-1654)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=D94050279F22A10B7291C20397B34815,SHA256=913F4B4BB319F5FBB33CAD37ED2926E0D18C30BF60626888B2BD304699642A44,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.438{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.437{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000106375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.437{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.437{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.437{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.437{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.437{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5648 (rs1_release.230105-1654)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=3C6A41CB05C121405B7A4E20C055F028,SHA256=E878D71FD1F0B4EC43688D75519C454A68BA6AB1F37822B26528C5150A365C28,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.437{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.436{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.436{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.436{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.436{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.436{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.436{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.436{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.435{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5648 (rs1_release.230105-1654)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B6239DE0BF70B7B63793E3BF31FFA8DA,SHA256=77F649A248D1FBDD1AB9ED8B92D976E9ECA3006995C377C458BEFF936F889002,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.435{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.435{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.435{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.434{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.434{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.434{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.434{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000106354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.433{F172AD64-6CF7-63C6-3800-00000000B002}32723292C:\Windows\system32\conhost.exe{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.432{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.432{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.431{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.431{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000106349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.431{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.431{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.431{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.430{F172AD64-6CE7-63C6-0C00-00000000B002}8321012C:\Windows\system32\svchost.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.430{F172AD64-6CE6-63C6-0500-00000000B002}408424C:\Windows\system32\csrss.exe{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.430{F172AD64-6CF6-63C6-2D00-00000000B002}27603916C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.429{F172AD64-7ADE-63C6-E902-00000000B002}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F172AD64-6CE6-63C6-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000106342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.080{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:26.080{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B768D5D1EC111D7EECCBD61F5F2FB05,SHA256=81260217985A953954782393CB4C78D42B473A1DA36A1B2EC2BB42D8FEDEE7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:27.814{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FD6562BE434647B321BB9048DEDCCF,SHA256=434D8A00070EA8C3513FADC7157D517489333909BC8BAB05F182DDEDABFAA008,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:27.999{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:27.996{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE6-63C6-0900-00000000B002}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000106397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:27.211{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:27.211{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6936E03E34C67096A91199C4D7CFF14,SHA256=4E140E1A73B245235696113954167B5D833C8039B48595535D1A1F48D8D85E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:28.900{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB85FE6EA80F8E7319621AB01F0ACD1,SHA256=2D513B1F898CB29A77E705956C6670C123EC180D1B46C38F93AF2CE53415597B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.282{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.282{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0AD7246B94EFAC506406BA9F179BBA,SHA256=25D45D6B2793716603F3775C04CABAB4447CE3A63270AEBEA98E5FD917D98F45,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:27.088{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50421-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000106419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.209{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2A00-00000000B002}2704C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.206{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2900-00000000B002}2696C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.201{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2800-00000000B002}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.197{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.195{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2600-00000000B002}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.189{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2500-00000000B002}2504C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.185{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF1-63C6-2300-00000000B002}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.183{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1900-00000000B002}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.181{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1700-00000000B002}1456C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.176{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1600-00000000B002}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.159{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1500-00000000B002}1120C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.153{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1400-00000000B002}1040C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.145{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1300-00000000B002}680C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.133{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1200-00000000B002}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.118{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1100-00000000B002}612C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.082{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.070{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0F00-00000000B002}8C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.058{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0E00-00000000B002}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.044{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE8-63C6-0D00-00000000B002}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.034{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CE7-63C6-0C00-00000000B002}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x800000000000000071147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:29.983{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A9B2EFC5B64BD32E013CEF277A8855,SHA256=46C929CB23108765051B358DF7A1CC884A85535950FC58B93E164755F3FA107C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:29.531{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:29.530{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89EBB94EB1F3798E3784B67DB789BD05,SHA256=2B3EC21B2E5E782C5327BD346720F5EC9BF669AAD67BD6833100F4F57E0483CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:29.166{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\respondent-20230117094002-057MD5=E7232A939BBE2CB28B698C3801790D5F,SHA256=88B82DB67F43520831C7A2C6EDB629DD00B5E675F9E4A46DD3B49D97A0C23DF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:28.204{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64622-false10.0.1.12-8000- 10341000x8000000000000000106431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.716{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3300-00000000B002}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.714{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-3100-00000000B002}2992C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000106429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.604{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.603{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C980652E2805C82E23C96F2B2F55FD3,SHA256=A68390A84CF6739F2B9C322BA5AEEB848F79A4B2E20E99AC7B90A9D215194AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:30.172{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c6ccd00148d5f92d\channels\health\surveyor-20230117094000-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.287{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2E00-00000000B002}2784C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.283{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.276{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2C00-00000000B002}2720C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.255{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF6-63C6-2B00-00000000B002}2712C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 23542300x800000000000000071149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:31.069{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F17539BCC1A4D8A3546F0A1C80C9E8,SHA256=996CEEB2A6D76F07BAF34905D22FDE3198663600C49F229E78F11026A02F85F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.415{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A96-63C6-DA02-00000000B002}7016C:\Windows\system32\NOTEPAD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.413{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A31-63C6-BE02-00000000B002}4508C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.411{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A16-63C6-AE02-00000000B002}7192C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.408{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AD02-00000000B002}2088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.406{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A13-63C6-AC02-00000000B002}7944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.404{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AB02-00000000B002}5080C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.401{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-AA02-00000000B002}7360C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.399{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A11-63C6-A902-00000000B002}7516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.396{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A07-63C6-A802-00000000B002}7320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.394{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A03-63C6-A702-00000000B002}7544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.390{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A602-00000000B002}7764C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.388{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7A02-63C6-A402-00000000B002}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.385{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7945-63C6-7602-00000000B002}7036C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.382{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7944-63C6-7502-00000000B002}6912C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.380{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7402-00000000B002}6492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.376{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7943-63C6-7302-00000000B002}1584C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.373{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7939-63C6-6C02-00000000B002}7092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.370{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6A02-00000000B002}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.367{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7938-63C6-6902-00000000B002}5292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.360{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6602-00000000B002}6688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.358{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7937-63C6-6502-00000000B002}6588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.332{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.330{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7922-63C6-5702-00000000B002}3852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.329{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3602-00000000B002}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.328{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-784A-63C6-3502-00000000B002}7084C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.327{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-77C4-63C6-1F02-00000000B002}6124C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.310{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763E-63C6-CA01-00000000B002}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.298{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-763D-63C6-C901-00000000B002}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.295{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7635-63C6-BC01-00000000B002}5040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.269{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-B901-00000000B002}4900C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.262{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AF01-00000000B002}4320C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.250{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7634-63C6-AC01-00000000B002}4196C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.245{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7632-63C6-A801-00000000B002}3112C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.244{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-7631-63C6-A601-00000000B002}3088C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.242{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6F1B-63C6-C500-00000000B002}3672C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.239{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D70-63C6-8900-00000000B002}3080C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.237{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.235{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.234{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4500-00000000B002}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.232{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 10341000x8000000000000000106435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.231{F172AD64-7640-63C6-CB01-00000000B002}61966324C:\Program Files\Aurora-Agent\aurora-agent.exe{F172AD64-6CF7-63C6-3800-00000000B002}3272C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100610) 11241100x8000000000000000106434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.197{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-16 13:19:37.604 23542300x8000000000000000106433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:31.197{F172AD64-6CF6-63C6-2D00-00000000B002}2760NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=933902DFB557A4F56A20D4F33F6D3930,SHA256=9C510A58637A8B443000B337BCE1895A51E616D3BD717343380EB910E81DEC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:32.159{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F13B95B6935A657146EEF09E893885,SHA256=175357BA167C2718E43CE1BD8A824B0AAC3AFC36B49DC6C3B4D4E9747F162E67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:30.319{F172AD64-6CF6-63C6-2D00-00000000B002}2760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64623-false10.0.1.12-8089- 11241100x8000000000000000106477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:32.096{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:32.096{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694D190BC000E15F8F2E6D8130C15FCF,SHA256=4D202B03AF370EC4DD14E6FDAC0B164F36EBB43AAB4A30D1052916B704CF8AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.824{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508A600469066DD91F369EA3ED95FE44,SHA256=D9DEFCA68994A8AD3728B7B913D24DF78120950EE49141DDCC0CFD33539CB5CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.425{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-75F6-63C6-E701-00000000B102}4680C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.416{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-7590-63C6-D001-00000000B102}5132C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.389{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D6-63C6-9801-00000000B102}4984C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.375{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D5-63C6-9701-00000000B102}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.345{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74D0-63C6-8801-00000000B102}3384C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.331{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7F01-00000000B102}3736C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.306{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CF-63C6-7C01-00000000B102}1960C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.299{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CE-63C6-7701-00000000B102}1368C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.296{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-74CC-63C6-7501-00000000B102}3516C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x8000000000000000106483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:33.914{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CCA-63C6-0100-00000000B002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000106482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:33.814{F172AD64-6CE6-63C6-0B00-00000000B002}6244580C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:33.814{F172AD64-6CE6-63C6-0B00-00000000B002}624100C:\Windows\system32\lsass.exe{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000106480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:33.283{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:33.283{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB25ADE85A52E26122A78C7E914D6FF1,SHA256=CD4E086AA5A8E02D0D8C45C88CE42E15F748F2DD0CE4FF5177B0C11C4ADA0E11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000071179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.290{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-70F5-63C6-FB00-00000000B102}3812C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.287{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D69-63C6-8200-00000000B102}3960C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.284{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.276{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.274{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF2-63C6-3F00-00000000B102}3036C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.272{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-3C00-00000000B102}3004C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.271{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF1-63C6-2B00-00000000B102}2840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.268{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2600-00000000B102}2508C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.266{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CF0-63C6-2300-00000000B102}2248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.262{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2200-00000000B102}1320C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.257{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-2100-00000000B102}1104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.249{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1E00-00000000B102}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.245{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1D00-00000000B102}1916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.239{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1C00-00000000B102}1904C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.230{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1900-00000000B102}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.226{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1700-00000000B102}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.212{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1600-00000000B102}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.202{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1500-00000000B102}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.176{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1400-00000000B102}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.166{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1300-00000000B102}792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.158{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1200-00000000B102}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.148{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1100-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.141{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-1000-00000000B102}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.136{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0F00-00000000B102}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.127{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0E00-00000000B102}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.119{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEF-63C6-0D00-00000000B102}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.110{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0C00-00000000B102}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.103{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0B00-00000000B102}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000071151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.100{F6EEFE7F-74DD-63C6-9C01-00000000B102}55245556C:\Program Files\Aurora-Agent\aurora-agent.exe{F6EEFE7F-6CEE-63C6-0900-00000000B102}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 354300x800000000000000071191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:33.092{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50422-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000071190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:34.317{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7767CCE27496F73FF9ABA82AA9E5A0,SHA256=CFCF21CF143B034B509B829A3855A70A50E21D7493CD62A0687F0B89F32B444F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:34.882{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-16 13:17:12.995 23542300x8000000000000000106488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:34.882{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57480E9648FBDFB330FA0149CCD3373,SHA256=BE0C2E805BB5A42F9BDFE8670F678899BCDAC91333160EDBC149984DC1091E7B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:34.731{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-16 13:16:44.659 23542300x8000000000000000106486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:34.731{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5D7499B99E76896948E371187ABCC232,SHA256=44CB4522957A2AC4EE37FA913478381AD18249689E68050543455A2AAF3443AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:34.301{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:34.301{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD01C9588552917F1F5334A1739B03C8,SHA256=6FFFEC3F49336E13365F4A753FA6122166B64568A7B54DA25254EFF9050DF612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:35.521{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993DB7AC4ABDE676A11A09039C513C03,SHA256=30A84E29975D24475ECB8325A554127F943119B407261BF61EB1900958E85CF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:35.334{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:35.333{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A936C9AE7861D8B3366FDC14644516D8,SHA256=BB5FE1854B93FD6F1733B27FE67283E45CEFD6A3D9D0952551212EB942FD36C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:32.967{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64625-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x8000000000000000106492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:32.967{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64625-false10.0.1.14win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x8000000000000000106491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:32.955{F172AD64-6CE6-63C6-0B00-00000000B002}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local64624-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local389ldap 354300x8000000000000000106490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:32.955{F172AD64-6CE8-63C6-1000-00000000B002}356C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local64624-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local389ldap 23542300x800000000000000071193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:36.723{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A8FC3E0973258931D5BCEEB7FEE6FC,SHA256=48DF616FD0DF8E93C192BF31C64339DDD4D396F19D3F1E309C19F23D972CD9FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:36.434{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:36.433{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B569AD927500C7410001E1E4045A8287,SHA256=27D0C1F35418FA205992B7A2BB8DB680B5EE6A24111E29A723FDB762A1AEC0DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:33.056{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local64626-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 354300x8000000000000000106499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:33.056{F172AD64-6CCA-63C6-0100-00000000B002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local64626-truefe80:0:0:0:fc8c:e42c:7d3f:51d8win-dc-ctus-attack-range-141.attackrange.local445microsoft-ds 23542300x8000000000000000106498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:36.087{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\respondent-20230117094008-057MD5=C6C24FBE255DE69FE5C00E3409D56D84,SHA256=0551D43A219F4C555DAC0301B436EBEB940CEEE1A299EC1FD65306CD3EE2D459,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:36.086{F172AD64-6CF8-63C6-4100-00000000B002}3536C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\respondent-20230117094008-0572023-01-17 10:39:36.086 11241100x8000000000000000106496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:36.083{F172AD64-6CF6-63C6-2700-00000000B002}2584C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\tmp\surveyor-20230117094006-0582023-01-17 10:39:36.083 11241100x8000000000000000106508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:37.614{F172AD64-7935-63C6-6402-00000000B002}2296C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.bin2023-01-17 10:38:37.510 23542300x8000000000000000106507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:37.613{F172AD64-7935-63C6-6402-00000000B002}2296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cuj52sse.default-release\datareporting\glean\db\data.safe.binMD5=70E3CB395C76B44D891DECDC29B8E789,SHA256=734FE8EB4B2511EFE64A105CAEE15067AABC8C6DDFB3B945DC35503893FB999E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:37.553{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:37.553{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD3B854E489AD470B26068EDAC72484,SHA256=F03B3A2E6576F25F80C244886956469A003697C082B8E3A6585151C5DAD9A11A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:34.219{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64627-false10.0.1.12-8000- 23542300x8000000000000000106503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:37.097{F172AD64-6CF6-63C6-2700-00000000B002}2584NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0058d842385645703\channels\health\surveyor-20230117094006-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:38.587{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:38.587{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631222B021BB8B65974D7716BDE106DE,SHA256=D2B2410A52EB2FE736DC876B526B4DDAD37D6F9B5DDEFD07FD8ACC4EDAB3DF10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:38.026{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB62A9132929A6687950E533CB0EE7E,SHA256=7ECCBB9D2514460B6A361C46FAF8E98D40747DDFF5B54DEEA43E96388F2A4B06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:39.618{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:39.618{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8786C45AAC9A3FFE345012102E77A300,SHA256=AD4F2C575AABF683E2553BBF687A573DCDE45EAC1CD48A82CEEA68E49CB46A9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000071196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:38.151{F6EEFE7F-6CFB-63C6-6200-00000000B102}3340C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-245.us-east-2.compute.internal50423-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000071195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:39.108{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22FC3FAC16D882B818BB7F91D2ADF58,SHA256=24B62ADFD081B558FAF83DC3F20A27F82420595419A19B7373208B1F5DCC8722,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:40.634{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:40.634{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0783E91E68F8D4ACA4A6ECD605089B78,SHA256=3982B57E624C2DA209692A12D07C21458CE58B363265DC2A066988ACE334FF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:40.184{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BAD3056C5F245372485A17B9EA78AED,SHA256=989A9A6073E85C5D598803DCC2DAA92147E81169DD528B4157255E75086E1B8A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:41.736{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:41.736{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0245012D824970ABD5CB47D37D8FA7,SHA256=AA9308B72E0281BA414CEC0DB3D57AC0811EC5398C553C868ABE42C71FB8ADDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:41.269{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83EAE266497981B0431BE86146A2B86,SHA256=960C6D855B2062FAA086B729076C3D749AE15F47107EE8498EED507E03150F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000071199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-245-2023-01-17 10:39:42.356{F6EEFE7F-6D02-63C6-6D00-00000000B102}3792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4233332D7245986E0BBC13257ECB0E12,SHA256=E8061A6DAC84114320B35D3F4AED12A512C8B76892C3AA47ED552340A2F0E327,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:42.878{F172AD64-6D09-63C6-7B00-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-16 13:19:02.609 23542300x8000000000000000106518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:42.878{F172AD64-6D09-63C6-7B00-00000000B002}3228NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826D27090C0E4BE7E8D6CDE464C119D5,SHA256=4CF7191F9757AAED033C65B2AE0DEE06BA656014C59F498ED2C8A8CC16FB044B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-141.attackrange.local-2023-01-17 10:39:40.216{F172AD64-6D01-63C6-7100-00000000B002}4024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-141.attackrange.local64628-false10.0.1.12-8000-